Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Gogs is an open source solution for self-hosting source code with similar functionality to Github and Gitlab. Under the hood, Gogs users allow for pushing and pulling to Git repos over SSH via the Golang package golang.org/x/crypto/ssh for most complicated things. On top of this functionality, Gogs adds authorization checks.

When interacting with the SSH server for git, there are two types of commands: env and shell requests. The env requests calls the env command to get ENV variables. Although, they protect against command injection they do NOT protect against the cousin argument injection. We can control arguments of the env command!

Well, sort of. The actual code concatenates a key and value for the command with an equals sign with an empty string check on the values. So, we need an argument that will allow for the equals sign and be valid. While looking around, the flag --split-string can be used to have a proper command AND get command execution. So, RCE on the server via connecting via SSH has been completed!

The actual exploitation requires a tricky scenario. First, SSH has to be enabled (meaning it is not default). Second, the attacker needs a valid SSH key or self registration needs to be turned on. Finally, the version of the env binaries matters, as the Alpine Linux version wasn't exploitable, for instance.

They found three other vulnerabilities in the next blog post. The next argument injection was within the git diff command. By using the undocumented --output flag, we can open and close an arbitrary file. By forcing this into an error path, the file will be empty.

This is where things get wild! If the .git/HEAD command is corrupted, then it will function as a bare repo. If the git repo is controlled, then we can add malicious configs (such as core.fsmonitior to get code execution on the next git command that is run.

The next argument injection was in git tag. By specifying the --file flag on the command, the file will be used as the tag message. In a future command, just read the tag message for an arbitrary file read. This was not mentioned in the article but was included on their argument injection vectors site.

The final vulnerability was simple file deletion - no directory traversal needed! By deleting the .git/head from a repo, it's treated as a bare directory. For whatever reason, bare repos have special files that do things like execute code. So, using the same primitive as in the second argument injection, code execution is easy.

git is scary and so is argument injection. Great blog on an undervalued bug class!