Skip to content

Latest commit

 

History

History

CVE-2022-30781

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
deploy
deploy
 
 
gitea_poc
gitea_poc
 
 
tests
tests
 
 
README.md
README.md
 
 
main.py
main.py
 
 
poetry.lock
poetry.lock
 
 
pyproject.toml
pyproject.toml
 
 

README.md

Gitea RCE PoC using Migration Feature

This repository contains a Proof-of-Concept (PoC) demonstrating the exploitation of CVE-2022-30781, a remote command execution (RCE) vulnerability in Gitea versions prior to 1.16.7. The exploit leverages the repository migration feature and the Git --upload-pack parameter to achieve arbitrary command execution on the target system.

Overview

The PoC includes:

  • A FastAPI-based mock API server emulating a malicious Gitea instance.
  • A Docker Compose configuration for deploying a vulnerable Gitea instance.
  • A customizable RCE payload demonstrating arbitrary command execution.

Setup Instructions

Prerequisites

  • Python 3.8 or later
  • Poetry
  • Docker and Docker Compose

Installation

  1. Clone the repository:

    git clone https://github.com/yourusername/gitea-rce-poc.git
cd gitea-rce-poc

  2. Install dependencies using poetry:

    poetry install

  3. Run the mock server:

    poetry run uvicorn gitea_poc.routes:main --host 0.0.0.0 --port 80

Deploying the Vulnerable Gitea Instance

  1. Navigate to the deploy directory:

    cd deploy

  2. Start the Gitea instance using Docker Compose:

    docker-compose up -d

  3. The Gitea instance will be accessible at http://localhost:3001. Use this for testing the migration.

Testing the Exploit

  1. Start the mock API server and the Gitea instance.
  2. Log in to the vulnerable Gitea instance.
  3. Navigate to + > Migrate Repository.
  4. Set the Clone Address to the mock server URL (e.g., http://localhost:3000/testuser/testrepo).
  5. Mark on Pull Requests.
  6. Complete the migration process. The payload (touch /tmp/evilfile) will be executed on the Gitea server.

Expected Behavior

  • After the migration, the file /tmp/evilfile will be created on the Gitea server.

Customizing the Payload

The payload used in this PoC is defined in routes.py as RCE_PAYLOAD. To change the behavior of the exploit, modify the value of RCE_PAYLOAD in the file.

For example:

RCE_PAYLOAD = "echo 'Pwned!' > /tmp/pwned"

After modifying the payload, restart the mock server.

API Endpoints

The mock API server provides the following endpoints:

  • GET /api/v1/version: Returns the mocked Gitea version.
  • GET /api/v1/settings/api: Returns configuration settings.
  • GET /api/v1/repos/{owner}/{repo}: Provides repository information.
  • GET /api/v1/repos/{owner}/{repo}/topics: Returns repository topics.
  • GET /api/v1/repos/{owner}/{repo}/pulls: Returns pull request information with the malicious payload.

Directory Structure

.
├── deploy/
│   ├── docker-compose.yml      # Docker Compose configuration for Gitea
│   └── gitea/                  # Configuration files for Gitea instance
├── gitea_poc/
│   ├── __init__.py
│   └── routes.py               # FastAPI mock server routes
├── tests/
│   └── main.py                 # Test scripts (if applicable)
├── poetry.lock
├── pyproject.toml              # Poetry configuration
└── README.md                   # This file

Disclaimer

This project is for educational and research purposes only. Use it responsibly and only with explicit permission. Exploiting this vulnerability without authorization is illegal and unethical.