SSD Advisory – GitStack Unauthenticated Remote Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Mon, 15 Jan 2018 12:22:25 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary
The following advisory describes an unauthenticated action that allows a remote attacker to add a user to GitStack and then used to trigger an unauthenticated remote code execution.

GitStack is “a software that lets you setup your own private Git server for Windows. This means that you create a leading edge versioning system without any prior Git knowledge. GitStack also makes it super easy to secure and keep your server up to date. GitStack is built on the top of the genuine Git for Windows and is compatible with any other Git clients. GitStack is completely free for small teams.”

Credit
An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
We tried to contact GitStack since October 17 2017, repeated attempts to establish contact were answered, but no details have been provided on a solution or a workaround.

Vulnerability details
User controlled input is not sufficiently filtered, allowing an unauthenticated attacker can add a user to GitStack server by sending the following POST request:

Once the attacker has added a user to the server, he can enable the web repository feature.

Now the attacker can create a repository from remote and disable access to our new repository for anyone else.

In the repository the attacker is allowed to upload a backdoor and use it to execute code:

Proof of Concept

Print Friendly, PDF & Email

https://blogs.securiteam.com/index.php/feed