Published on April 29th, 2020 📆 | 6378 Views ⚑0
GitLab awards researcher $20,000, patches remote code execution bug
GitLab has awarded a cybersecurity researcher $20,000 for reporting a serious remote code execution vulnerability on the platform.
Discovered by William “vakzz” Bowling, a programmer and bug bounty hunter, the vulnerability was privately disclosed through the HackerOne bug bounty platform on March 23.
Bowling said that GitLab’s UploadsRewriter function, used to copy files, was the source of the critical security issue.
See also: This is how viewing a GIF in Microsoft Teams triggered account hijacking bug
The function should check file names and paths when issues were copied across projects. However, there were no validation checks in place, leading to a path traversal problem that could be exploited to copy any file.
According to the bug bounty hunter, if exploited by an attacker, the vulnerability could be weaponized to “read arbitrary files on the server, including tokens, private data, [and] configs.”
GitLab instances and the GitLab.com domain were affected by the vulnerability, awarded a critical rating on HackerOne.
On the same day as disclosure, the GitLab security team decided to award Bowling a $1,000 reward while triage took place.
As triage was underway, Bowling added that the issue could be turned into a remote code execution (RCE) attack by using the arbitrary file read bug to grab information from the GitLab secret_key_base service. If an attacker changed their own instance secret_key_base to match a project, cookie services could also be manipulated to trigger RCE.
The vulnerability was sent to GitLab’s engineering team who reproduced the problem. While the team noted that an attacker would need to be at a project member — at a minimum — to exploit the vulnerability, they could also simply “create their own project/group to do this,” according to Heinrich Lee Yu, a senior engineer at GitLab.
The vulnerability has now been resolved in GitLab version 12.9.1, with the researcher’s full bounty awarded on March 27. The public report was released on April 27.
Four months ago, the same researcher disclosed a bug in GitLab’s Search API which allowed additional flags to be injected into the git command, potentially leading to the creation of crafted keys, remote access, and code execution. GitLab acknowledged the problem and awarded Bowling $12,000 for the critical bug report.
ZDNet has reached out to GitLab and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0