GitLab Pre-Auth RCE (CVE-2021-22205) Signature

As stated in the post, I don’t have a completed sig. I am not entirely sure how to sig on the injected code but I definitely think there is something here worth a sig.

Let me know, thanks!

Thanks for the share! I’ll review this submission and provide some notes afterwards.

1 Like

Hi cosmicgumbo,

Thanks again for the submission that covers GitLab Pre-Auth RCE (CVE-2021-22205). The provided signature is almost done and just needs the http request body content, as you mentioned.

From reviewing the provided CVE write ups, it appears that a solid signature should consider the following:

Covering DjVu specific content

Here are the request bodies provided in your submission. Let’s understand the content before “(metadata”.

Request Body Example #1

	(Copyright "\
" . qx{touch /tmp/test} . \
" b ") )

Request Body Example #2

(Author "\.". return `date`; #")

If we review documentation on DjVu from DjVu - Wikipedia, we note that we should try finding for DjVu documetaion for Version 26 or atleast dated closer to 2008,

The docs help us understand what to expect from parsing DjVu files:

  • DjVu file header start with these 4-bytes (0x41 0x54 0x26 0x54) == AT&T
  • DjVu file structure itself consists of 4-bytes chunks. It is expected that there will be a magic number (AT&T), FORM, a FORM length, then a secondary identifier. In relation to the provided request bodies we see the following identifiers…
  • INFO, info on DjVu page
  • ANTa or ANTz, info on annotations
  • BGjp, JPEG encoded background

OK, so what do we want to sig on? I would use…
http.request_body; content:“AT&TFORM”; offset:4; fast_pattern; content:“DJV”; offset:4; content:“ANT”;

This content targets DjVu file annotations.

Covering content backslash followed by a newline

Let’s consider the content after (metadata. We know that if a backslash followed by a newline is in the metadata, the RCE exists. I would say this needs to appear twice to allow the injected content to properly be parsed.

This Cyberchef recipe returns what “backslash followed by a newline” looks like in hex.

OK, so what do we want to sig on? I would use…
http.request_body; content:“(metadata”; content:“|5c 0a|” distance:0; content:“|5c 0a|” distance:0;

This content highlights the CVE.

The final rule to be submitted will be…
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205)”; flow:established,to_server; http.method; content:“POST”; http.uri; content:“/uploads/user”; bsize:13; http.header_names; content:“X-CSRF-Token”; http.request_body; content:“AT&TFORM”; offset:4; fast_pattern; content:“DJV”; offset:4; content:“ANT”; content:“(metadata”; content:“|5c 0a|”; distance:0; content:“|5c 0a|”; distance:0; reference:url,,url,; classtype:trojan-activity;)


This rendered ET Open SID 2044201. Thanks @cosmicgumbo @bingohotdog !

1 Like