lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 15 Jan 2018 15:40:57 +0200
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – GitStack Unauthenticated Remote Code Execution

SSD Advisory – GitStack Unauthenticated Remote Code Execution

Write-up: https://blogs.securiteam.com/index.php/archives/3557


Vulnerability Summary
The following advisory describes an unauthenticated action that allows a
remote attacker to add a user to GitStack and then used to trigger an
unauthenticated remote code execution.

GitStack is “a software that lets you setup your own private Git server for
Windows. This means that you create a leading edge versioning system
without any prior Git knowledge. GitStack also makes it super easy to
secure and keep your server up to date. GitStack is built on the top of the
genuine Git for Windows and is compatible with any other Git clients.
GitStack is completely free for small teams.”

Credit
An independent security researcher, Kacper Szurek, has reported this
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
We tried to contact GitStack since October 17 2017, repeated attempts to
establish contact were answered, but no details have been provided on a
solution or a workaround.

Vulnerability details
User controlled input is not sufficiently filtered, allowing an
unauthenticated attacker can add a user to GitStack server by sending the
following POST request:
===
1
2
http://IP/rest/user/
data={'username' : username, 'password' : password}

===

Once the attacker has added a user to the server, he can enable the web
repository feature.

Now the attacker can create a repository from remote and disable access to
our new repository for anyone else.

In the repository the attacker is allowed to upload a backdoor and use it
to execute code:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ