GitLab Exiftool RCE in Image Upload
GitLab Workhorse RCE – Gitlab File Upload to RCE – In 2021, April, Security researcher, known as vakzz, uncovered a critical vulnerability in GitLab‘s image upload process, potentially enabling remote code execution (RCE). The flaw lies in GitLab Workhorse, which, when handling certain image file types, inadvertently passes files to ExifTool for processing. ExifTool, in turn, encounters a significant issue when dealing with DjVu files, leading to a potential security breach.
Details of the Vulnerability
When uploading image files, GitLab Workhorse utilizes ExifTool to strip non-allowlisted tags from files with jpg, jpeg, or tiff extensions. However, the flaw arises when ExifTool, in attempting to determine the file type based on content rather than extension, encounters DjVu files. Within the DjVu annotation, tokens are evaluated to “convert C escape sequences.” Despite attempts at validation, a backslash followed by a newline allows the injection of arbitrary Perl code, leading to potential exploitation.
Potential Exploitation: Steps to Gitlab RCE via image upload
To illustrate the severity, vakzz provides two example files: ‘echo_vakzz.jpg.zip’ and ‘reverse_shell.jpg.zip.’ The former demonstrates the insertion of metadata resulting in the creation of a file on the server, while the latter triggers a reverse shell, potentially compromising the server.
Metadata Code:
Within the DjVu annotation of ‘echo_vakzz.jpg.zip’, the problematic metadata code is as follows:
(metadata
(Copyright "\
" . qx{echo vakzz >/tmp/vakzz} . \
" b ") )
This metadata code, when processed, allows for the execution of arbitrary Perl code, potentially leading to unauthorized actions on the server.
Impact of the Vulnerability:
This flaw could be exploited by any user capable of uploading an image processed by GitLab Workhorse, allowing them to achieve remote code execution. The issue extends beyond the intended TIFF and JPEG modules, as ExifTool processes a broader range of file types, significantly expanding the potential attack surface.
Recommendations and GitLab’s Response
In response to this discovery, it is crucial for GitLab to reconsider the approach of converting C escape sequences using ‘eval.’ Additionally, restricting ExifTool to only process TIFF and JPEG files, and implementing a preliminary check for file validity, could help mitigate the risk associated with this vulnerability.
When uploading image files, GitLab Workhorse utilizes ExifTool to strip non-allowlisted tags from files with jpg, jpeg, or tiff extensions. It’s worth noting that this security vulnerability has led to a bug bounty reward of $20000, reinforcing the importance of prompt resolution to ensure the platform’s security and integrity.
Conclusion
The security community played a vital role in identifying and addressing potential threats, urging GitLab to swiftly rectify this vulnerability to ensure the security and integrity of its platform. Advisors recommended users to stay vigilant and actively monitor GitLab’s official communications for the release of patches or updates addressing this issue.
Hackerone report of GitLab Workhorse RCE here