cbcvebase.
CVE-2018-5955
published 2018-01-21

CVE-2018-5955: An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
81.28%
99.6th percentile
An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to the server via the username and password fields to the rest/user/ URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
smartmobilesoftwaregitstack<= 2.3.10

Detection & IOCsextracted from sources · hover to see the quote

url/rest/settings/general/webinterface/
url/rest/repository/
url/web/index.php
url/web/exploit.php
pathc:GitStackgitphpexploit.php
commandp && echo "" > c:GitStackgitphpexploit.php
commandcmd /c <payload>
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GitStack - Unsanitized Argument Remote Code Execution"; flow:established,to_server; http.uri; content:"p="; content:".git&a="; fast_pattern; http.header; header_lowercase; content:"authorization|3a 20|Basic"; pcre:"/(?:Y21kIC9jIHBvd2Vyc2hlbGwuZXhl|NtZCAvYyBwb3dlcnNoZWxsLmV4Z|jbWQgL2MgcG93ZXJzaGVsbC5leG)/Ri"; reference:cve,2018-5955; reference:url,exploit-db.com/exploits/44356/; classtype:attempted-user; sid:2025830; rev:3; metadata:attack_target Web_Server, created_at 2018_07_12, cve CVE_2018_5955, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2024_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect unauthenticated PUT to /rest/settings/general/webinterface/ with body {"enabled": "true"} — attacker enables the web repository interface as part of the exploit chain
  • Detect HTTP GET to /web/index.php with query parameters p=<repo>.git&a=summary combined with a Basic Authorization header containing shell metacharacters (&&, cmd /c, powershell.exe) — this is the RCE trigger
  • Detect HTTP POST to /web/exploit.php — this endpoint is the dropped PHP backdoor used for post-exploitation command execution
  • Alert on presence of file exploit.php under the GitStack gitphp web directory (c:\GitStack\gitphp\exploit.php) — indicates successful backdoor drop
  • The Snort/ET rule (sid:2025830) matches on URI containing 'p=' and '.git&a=' together with a Basic Authorization header whose base64 value matches powershell.exe invocation patterns
  • ·The exploit chain requires the web repository interface to be enabled; if it is already disabled, the attacker will attempt to enable it via an unauthenticated PUT — detection should cover both the pre-enabled and attacker-enabled states
  • ·The attacker may reuse an existing repository and existing user rather than creating new ones, so absence of POST to /rest/user/ or /rest/repository/ does not rule out exploitation
  • ·The Metasploit RCE module injects the payload into the HTTP Basic Auth password field; the payload length must not exceed 6110 characters or the module will abort

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.