Nowadays, companies and developers are fond of the managing and controlling versioning tools from the git family such as Github and Gitlab.
Lately, the latter has seen some exploits being done.
Indeed, an RCE, for Remote Code Execution, can be currently performed on gitlab by any registered user. And if you let any netsurfer to register to your gitlab. Once done, this malicious fellow will be allowed to execute any codes and access any files on your server that the user git can. And in short, your server and data reachable through user Git are compromised and who knows what kind of malware or software have been installed and run. For now, it seems that this breach was used to exploit server resources to mine some crypto with the trendy xmrig but who knows what else has been done.
Usually RCEs are possible due to downloaded malware but in our case this was due to a lack of checks and validations in the gitlab source code and Exiftool (Ed: Exiftool is a software to manipulate metadata onto several types of files).
How is it performed ?
Any registered user who can access and create a Snippet can perform this exploit by attaching a corrupted “jpg” file into it.
Then, what ?
Once the jpg file is uploaded, it is passed to ExifTool to remove any non-whitelisted tags.Unfortunately, a combination of special characters can trick the validation and allows the malicious code to be executed. Which code can execute, read and modify any file accessible to “git” unix user.
How to know if I am concerned ?
It is hard to say as the corrupted file is not uploaded on your server and no traces of any commands can be seen; the hackers can cover their mischief quite easily.
But if you’re running a version of Exiftool less than the 12.24 and a version of gitlab less than 13.6.1, your gitlab and server are likely to be vulnerable.
Actually a “good way” to know if your gitlab and server are vulnerable would be to test by yourself the exploit as detailed here https://gitlab.com/gitlab-org/gitlab/-/issues/327121.
As general advice, we would recommend you to :
- run up-to-date software and operating systems.
- check your auth.log to see if there is unauthorized access.
- ban IP making incessante unsuccessful connection attempts using fail2ban
- check your CPU latency for any suspicious running processes using top.
- check the bash/sh command history
Check last incoming connections using last
How to fix ?
First thing first, disabled your gitlab Sign_up/register page.
Search for suspicious users and delete all unknown users.
And maybe, if your system is vulnerable, you should think of rebuilding your server from scratch and review all commits done within your projects.
For now, while gitlab has been patched with more checks concerning upload file into snippets, the main issue is due to Exiftool. Means cloning the latest version of gitlab (version >13.6.1) will not avoid this exploit to be performed.
You should update Exiftool, which has been patched as well.
gitlab issue : https://gitlab.com/gitlab-org/gitlab/-/issues/327121