SlideShare a Scribd company logo

GitStack 0day . Remote code execution - Adam Nurudini

Adam Nurudini
Adam Nurudini

The following presentation describes CVE-2018-5955 an unauthenticated action in GitStack that allows a remote attacker to add new users and then trigger remote code execution.

Software
1 of 16
Download to read offline
BYPASSING SECURITY RESTRICTIONS THE CASE OF CVE-2018-5955
Whoami • Adam Nurudini CEH, ITIL V3, CCNA, CCNP, CASP, PCI-DSS, BSC-IT Lead Security Researcher @ Netwatch Technologies Project Consultant, Information Security Architects Ltd Member, Cybersecurity Resilience Service Team Web Application Penetration Tester
INTRODUCTION The following presentation describes an unauthenticated action in GitStack that allows a remote attacker to add new users and then trigger remote code execution. Description An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to the server via the username and password fields to the rest/user/ URI. CVE-ID CVE-2018-5955 Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5955 Vulnerability Disclosed by: An independent security researcher, Kacper Szurek, reported the vulnerability to Beyond Security's SSD Vendor response “Since October 17, 2017, we have tried to contact GitStack many times and have received a response, but have not provided details about the solution or workaround.”
• GitStack is a web application that allows users to set up your own private Git server. • This means you can create a version control system with no content. • GitStack makes it easy to keep your server up to date. It is really Git for Windows and is compatible with any other Git client. GitStack is completely free for small teams.
Source: https://nvd.nist.gov/vuln/detail/CVE-2018-5955 EXPLOIT AVAILABILITY https://www.exploit-db.com/exploits/43777/ https://www.rapid7.com/db/modules/exploit/windows/htt p/gitstack_rce
UPCLOSE WITH CVE-2018-5955 In vulnerable versions of GitStack, a flaw in Authentication.class.php allows unauthenticated remote code execution since $_SERVER['PHP_AUTH_PW'] is passed directly to an exec function.
UPCLOSE WITH CVE-2018-5955 To exploit the vulnerability, the repository web interface must be enabled, a repository must exist, and a user must have access to the repository. Note: A passwd file should be created by GitStack for local user accounts. Default location: C:GitStackdatapasswdfile. Once an attacker adds a user to the server, he can enable the web repository feature.
UPCLOSE WITH CVE-2018-5955 Now, an attacker can create a repository from a remote location and prevent others from accessing our new repository. In the repository, an attacker can upload a backdoor and use it to execute code: 1. View users Use the GET method to directly view the user list of the GitStack repository, and there is an unauthorized access information disclosure vulnerability.
UPCLOSE WITH CVE-2018-5955 2. Create user Through the POST method, specifying the username and password can directly add the repository user, and there is any user added vulnerability:
UPCLOSE WITH CVE-2018-5955 2. Create user
UPCLOSE WITH CVE-2018-5955 3. Create a repository arbitrarily Directly POST a name to create the corresponding project, But CSRF_TOKEN is required in POST data. CSRF_TOKEN is obtained as follows, visit the landing page, such as http://$IP/registration/login/?next=/gitstack/ view the source code:
UPCLOSE WITH CVE-2018-5955 3. Create a repository arbitrarily
UPCLOSE WITH CVE-2018-5955 4. Add user to any repository You can add it by following this format: POST http://$IP/rest/repository/”repository name”/user/”user name”/
Remote command execution vulnerability By default, the GitStack Web Interface is enabled. Access http://xx/web/index.php An unauthenticated user can upload reverse shell payload to the gitstack repository to compromise the web application and the server hosting it. DEMO | 5mins
PROACTIVE REMEDIATION Focus on development best practices like OWASP Top 10 Application Security Risks – 2017 In this scenario the presenter believes A2:2017 Broken Authentication A5:2017 Broken Access Control A6:2017 Security Misconfiguration
Thank You Questions & Answers

Recommended

APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
CloudVillage
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Cloudfest 2018 - Secure Cloud Servers in a Nutshell. Quick overview of thre...
Cloudfest 2018 - Secure Cloud Servers in a Nutshell. Quick overview of thre...Cloudfest 2018 - Secure Cloud Servers in a Nutshell. Quick overview of thre...
Cloudfest 2018 - Secure Cloud Servers in a Nutshell. Quick overview of thre...
Sergey Lystsev
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
Equifax & Apache Struts Vulnerability CVE-2017-5638
Equifax & Apache Struts Vulnerability CVE-2017-5638Equifax & Apache Struts Vulnerability CVE-2017-5638
Equifax & Apache Struts Vulnerability CVE-2017-5638
Black Duck by Synopsys
 

Recommended

APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
42Crunch
 
42crunch-API-security-workshop
42crunch-API-security-workshop42crunch-API-security-workshop
42crunch-API-security-workshop
42Crunch
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
CloudVillage
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Cloudfest 2018 - Secure Cloud Servers in a Nutshell. Quick overview of thre...
Cloudfest 2018 - Secure Cloud Servers in a Nutshell. Quick overview of thre...Cloudfest 2018 - Secure Cloud Servers in a Nutshell. Quick overview of thre...
Cloudfest 2018 - Secure Cloud Servers in a Nutshell. Quick overview of thre...
Sergey Lystsev
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
Equifax & Apache Struts Vulnerability CVE-2017-5638
Equifax & Apache Struts Vulnerability CVE-2017-5638Equifax & Apache Struts Vulnerability CVE-2017-5638
Equifax & Apache Struts Vulnerability CVE-2017-5638
Black Duck by Synopsys
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
Software Security Basics
Software Security BasicsSoftware Security Basics
Software Security Basics
CY Lee
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
Attack eu 2021 attack4cvc
Attack eu 2021 attack4cvcAttack eu 2021 attack4cvc
Attack eu 2021 attack4cvc
Andrey Bezverkhiy
 
Elastic user group London nov 2019
Elastic user group London nov 2019Elastic user group London nov 2019
Elastic user group London nov 2019
Andrey Bezverkhiy
 
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Consulthinkspa
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
CloudVillage
 
Mod Security
Mod SecurityMod Security
Mod Security
Abhishek Singh
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3
Cymmetria
 
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Codemotion
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
Mikhail Shcherbakov
 
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat
 
Avoiding integration testing nightmares with Mule and Pacts
Avoiding integration testing nightmares with Mule and PactsAvoiding integration testing nightmares with Mule and Pacts
Avoiding integration testing nightmares with Mule and Pacts
Michael Hyatt
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & Responder
Cymmetria
 
Melbourne meetup march 2018
Melbourne meetup march 2018Melbourne meetup march 2018
Melbourne meetup march 2018
Michael Hyatt
 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON Name
SecuRing
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 edition
SecuRing
 

More Related Content

What's hot

Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
Anant Shrivastava
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
42Crunch
 
Software Security Basics
Software Security BasicsSoftware Security Basics
Software Security Basics
CY Lee
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing
 
Attack eu 2021 attack4cvc
Attack eu 2021 attack4cvcAttack eu 2021 attack4cvc
Attack eu 2021 attack4cvc
Andrey Bezverkhiy
 
Elastic user group London nov 2019
Elastic user group London nov 2019Elastic user group London nov 2019
Elastic user group London nov 2019
Andrey Bezverkhiy
 
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Consulthinkspa
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
42Crunch
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
CloudVillage
 
Mod Security
Mod SecurityMod Security
Mod Security
Abhishek Singh
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3
Cymmetria
 
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Codemotion
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
Mikhail Shcherbakov
 
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat
 
Avoiding integration testing nightmares with Mule and Pacts
Avoiding integration testing nightmares with Mule and PactsAvoiding integration testing nightmares with Mule and Pacts
Avoiding integration testing nightmares with Mule and Pacts
Michael Hyatt
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & Responder
Cymmetria
 
Melbourne meetup march 2018
Melbourne meetup march 2018Melbourne meetup march 2018
Melbourne meetup march 2018
Michael Hyatt
 

What's hot (20)

Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
SecDevOps for API Security
SecDevOps for API SecuritySecDevOps for API Security
SecDevOps for API Security
 
Software Security Basics
Software Security BasicsSoftware Security Basics
Software Security Basics
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
Attack eu 2021 attack4cvc
Attack eu 2021 attack4cvcAttack eu 2021 attack4cvc
Attack eu 2021 attack4cvc
 
Elastic user group London nov 2019
Elastic user group London nov 2019Elastic user group London nov 2019
Elastic user group London nov 2019
 
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Better API Security with Automation
Better API Security with Automation Better API Security with Automation
Better API Security with Automation
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
 
Mod Security
Mod SecurityMod Security
Mod Security
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3
 
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
Increasing Android app security for free - Roberto Gassirà, Roberto Piccirill...
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
 
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...
 
Avoiding integration testing nightmares with Mule and Pacts
Avoiding integration testing nightmares with Mule and PactsAvoiding integration testing nightmares with Mule and Pacts
Avoiding integration testing nightmares with Mule and Pacts
 
Cymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & ResponderCymmetria Webinar: Deception & Responder
Cymmetria Webinar: Deception & Responder
 
Melbourne meetup march 2018
Melbourne meetup march 2018Melbourne meetup march 2018
Melbourne meetup march 2018
 

Similar to GitStack 0day . Remote code execution - Adam Nurudini

Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON Name
SecuRing
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 edition
SecuRing
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014
Massimo Chirivì
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meet
vinoth kumar
 
A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...
A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...
A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...
IRJET Journal
 
Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4Developers
SecuRing
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
Aman Srivastava
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain Security
Adam Baldwin
 
How Secure Is Your Secure API?
How Secure Is Your Secure API?How Secure Is Your Secure API?
How Secure Is Your Secure API?
Colin McGovern
 
July Patch Tuesday 2019
July Patch Tuesday 2019July Patch Tuesday 2019
July Patch Tuesday 2019
Ivanti
 
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it editionHTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
Luca Carettoni
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET Journal
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
Sasha Nunke
 
September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018
Ivanti
 
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
MichaelOLeary82
 
News Bytes - May by corrupt
News Bytes - May by corruptNews Bytes - May by corrupt
News Bytes - May by corrupt
n|u - The Open Security Community
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
SecuRing
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
Ben Abdallah Helmi
 

Similar to GitStack 0day . Remote code execution - Adam Nurudini (20)

Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON Name
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 edition
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014SVILUPPO WEB E SICUREZZA NEL 2014
SVILUPPO WEB E SICUREZZA NEL 2014
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meet
 
A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...
A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...
A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...
 
Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4Developers
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
JavaScript Supply Chain Security
JavaScript Supply Chain SecurityJavaScript Supply Chain Security
JavaScript Supply Chain Security
 
How Secure Is Your Secure API?
How Secure Is Your Secure API?How Secure Is Your Secure API?
How Secure Is Your Secure API?
 
July Patch Tuesday 2019
July Patch Tuesday 2019July Patch Tuesday 2019
July Patch Tuesday 2019
 
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it editionHTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018
 
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
 
News Bytes - May by corrupt
News Bytes - May by corruptNews Bytes - May by corrupt
News Bytes - May by corrupt
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
 
SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7SCWCD : Secure web : CHAP : 7
SCWCD : Secure web : CHAP : 7
 

Recently uploaded

Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
Yara Milbes
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
GohKiangHock
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 

Recently uploaded (20)

Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 

GitStack 0day . Remote code execution - Adam Nurudini

  • 2. Whoami • Adam Nurudini CEH, ITIL V3, CCNA, CCNP, CASP, PCI-DSS, BSC-IT Lead Security Researcher @ Netwatch Technologies Project Consultant, Information Security Architects Ltd Member, Cybersecurity Resilience Service Team Web Application Penetration Tester
  • 3. INTRODUCTION The following presentation describes an unauthenticated action in GitStack that allows a remote attacker to add new users and then trigger remote code execution. Description An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to the server via the username and password fields to the rest/user/ URI. CVE-ID CVE-2018-5955 Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5955 Vulnerability Disclosed by: An independent security researcher, Kacper Szurek, reported the vulnerability to Beyond Security's SSD Vendor response “Since October 17, 2017, we have tried to contact GitStack many times and have received a response, but have not provided details about the solution or workaround.”
  • 4. • GitStack is a web application that allows users to set up your own private Git server. • This means you can create a version control system with no content. • GitStack makes it easy to keep your server up to date. It is really Git for Windows and is compatible with any other Git client. GitStack is completely free for small teams.
  • 6. UPCLOSE WITH CVE-2018-5955 In vulnerable versions of GitStack, a flaw in Authentication.class.php allows unauthenticated remote code execution since $_SERVER['PHP_AUTH_PW'] is passed directly to an exec function.
  • 7. UPCLOSE WITH CVE-2018-5955 To exploit the vulnerability, the repository web interface must be enabled, a repository must exist, and a user must have access to the repository. Note: A passwd file should be created by GitStack for local user accounts. Default location: C:GitStackdatapasswdfile. Once an attacker adds a user to the server, he can enable the web repository feature.
  • 8. UPCLOSE WITH CVE-2018-5955 Now, an attacker can create a repository from a remote location and prevent others from accessing our new repository. In the repository, an attacker can upload a backdoor and use it to execute code: 1. View users Use the GET method to directly view the user list of the GitStack repository, and there is an unauthorized access information disclosure vulnerability.
  • 9. UPCLOSE WITH CVE-2018-5955 2. Create user Through the POST method, specifying the username and password can directly add the repository user, and there is any user added vulnerability:
  • 11. UPCLOSE WITH CVE-2018-5955 3. Create a repository arbitrarily Directly POST a name to create the corresponding project, But CSRF_TOKEN is required in POST data. CSRF_TOKEN is obtained as follows, visit the landing page, such as http://$IP/registration/login/?next=/gitstack/ view the source code:
  • 12. UPCLOSE WITH CVE-2018-5955 3. Create a repository arbitrarily
  • 13. UPCLOSE WITH CVE-2018-5955 4. Add user to any repository You can add it by following this format: POST http://$IP/rest/repository/”repository name”/user/”user name”/
  • 14. Remote command execution vulnerability By default, the GitStack Web Interface is enabled. Access http://xx/web/index.php An unauthenticated user can upload reverse shell payload to the gitstack repository to compromise the web application and the server hosting it. DEMO | 5mins
  • 15. PROACTIVE REMEDIATION Focus on development best practices like OWASP Top 10 Application Security Risks – 2017 In this scenario the presenter believes A2:2017 Broken Authentication A5:2017 Broken Access Control A6:2017 Security Misconfiguration