As stated in the post, I don’t have a completed sig. I am not entirely sure how to sig on the injected code but I definitely think there is something here worth a sig.
Let me know, thanks!
Thanks for the share! I’ll review this submission and provide some notes afterwards.
1 Like
Hi cosmicgumbo,
Thanks again for the submission that covers GitLab Pre-Auth RCE (CVE-2021-22205). The provided signature is almost done and just needs the http request body content, as you mentioned.
From reviewing the provided CVE write ups, it appears that a solid signature should consider the following:
- Content from a POST # Covered
- Content from “/users/sign_in” # Covered
- Content with “X-CSRF-Token” # Covered
- Content about parsing annotations from a DjVu file. The DjVu parising module used is from 2008. (ExifTool CVE-2021-22204 - Arbitrary Code Execution | devcraft.io >> exiftool/DjVu.pm at 12.23 · exiftool/exiftool · GitHub) . # Not Covered
- Content containing “backslash followed by a newline” (HackerOne). # Not Covered
Covering DjVu specific content
Here are the request bodies provided in your submission. Let’s understand the content before “(metadata”.
Request Body Example #1
AT&TFORM...eDJVUINFO...
......,...BGjp....ANTa...?(metadata
(Copyright "\
" . qx{touch /tmp/test} . \
" b ") )
Request Body Example #2
AT&TFORM....DJVUANTa....(metadata.
(Author "\.". return `date`; #")
If we review documentation on DjVu from DjVu - Wikipedia, we note that we should try finding for DjVu documetaion for Version 26 or atleast dated closer to 2008, https://www.cuminas.jp/docs/techinfo/DjVu3Spec.pdf.
The docs help us understand what to expect from parsing DjVu files:
- DjVu file header start with these 4-bytes (0x41 0x54 0x26 0x54) == AT&T
- DjVu file structure itself consists of 4-bytes chunks. It is expected that there will be a magic number (AT&T), FORM, a FORM length, then a secondary identifier. In relation to the provided request bodies we see the following identifiers…
- INFO, info on DjVu page
- ANTa or ANTz, info on annotations
- BGjp, JPEG encoded background
OK, so what do we want to sig on? I would use…
http.request_body; content:“AT&TFORM”; offset:4; fast_pattern; content:“DJV”; offset:4; content:“ANT”;
This content targets DjVu file annotations.
Covering content backslash followed by a newline
Let’s consider the content after (metadata. We know that if a backslash followed by a newline is in the metadata, the RCE exists. I would say this needs to appear twice to allow the injected content to properly be parsed.
This Cyberchef recipe returns what “backslash followed by a newline” looks like in hex.
OK, so what do we want to sig on? I would use…
http.request_body; content:“(metadata”; content:“|5c 0a|” distance:0; content:“|5c 0a|” distance:0;
This content highlights the CVE.
The final rule to be submitted will be…
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205)”; flow:established,to_server; http.method; content:“POST”; http.uri; content:“/uploads/user”; bsize:13; http.header_names; content:“X-CSRF-Token”; http.request_body; content:“AT&TFORM”; offset:4; fast_pattern; content:“DJV”; offset:4; content:“ANT”; content:“(metadata”; content:“|5c 0a|”; distance:0; content:“|5c 0a|”; distance:0; reference:url,devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html,url,hackerone.com/reports/1154542; classtype:trojan-activity;)
3 Likes
This rendered ET Open SID 2044201. Thanks @cosmicgumbo @bingohotdog !
1 Like