Gitea RCE via fake JWT, race condition and git hooks chain
In Summary : First, we use the error in the GIT LFS implementation to get the contents of the app.ini file. Then, from this file we re...
https://updatesinfosec.blogspot.com/2018/07/gitea-rce-via-fake-jwt-race-condition.html
In Summary :
First, we use the error in the
Then, from this file we read
Thanks to that, we are able to send a falsified session file of a user.
We create a new repository using our newly created administrator session. We need an administrator account because only the administrator can modify
The
Then, all that is needed to run this code is to just push any source code changes to the repository.
We already know how in theory the server attack will look like. Now I will discuss its individual elements in detail. [...]
kindly refer the following link as follow up :
https://ift.tt/2KMLlHS
First, we use the error in the
GIT LFS implementation to get the contents of the app.ini file.Then, from this file we read
SECRET that can be used to sign JWT tokens.Thanks to that, we are able to send a falsified session file of a user.
We create a new repository using our newly created administrator session. We need an administrator account because only the administrator can modify
git hooks.The
update hook is going to contain our malicious code to be executed on the server.Then, all that is needed to run this code is to just push any source code changes to the repository.
We already know how in theory the server attack will look like. Now I will discuss its individual elements in detail. [...]
kindly refer the following link as follow up :
https://ift.tt/2KMLlHS
