CVE-2018-5955
published 2018-01-21CVE-2018-5955: An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
81.28%
99.6th percentile
An issue was discovered in GitStack through 2.3.10. User controlled input is not sufficiently filtered, allowing an unauthenticated attacker to add a user to the server via the username and password fields to the rest/user/ URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartmobilesoftware | gitstack | <= 2.3.10 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GitStack - Unsanitized Argument Remote Code Execution"; flow:established,to_server; http.uri; content:"p="; content:".git&a="; fast_pattern; http.header; header_lowercase; content:"authorization|3a 20|Basic"; pcre:"/(?:Y21kIC9jIHBvd2Vyc2hlbGwuZXhl|NtZCAvYyBwb3dlcnNoZWxsLmV4Z|jbWQgL2MgcG93ZXJzaGVsbC5leG)/Ri"; reference:cve,2018-5955; reference:url,exploit-db.com/exploits/44356/; classtype:attempted-user; sid:2025830; rev:3; metadata:attack_target Web_Server, created_at 2018_07_12, cve CVE_2018_5955, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2024_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect unauthenticated PUT to /rest/settings/general/webinterface/ with body {"enabled": "true"} — attacker enables the web repository interface as part of the exploit chain ↗
- →Detect HTTP GET to /web/index.php with query parameters p=<repo>.git&a=summary combined with a Basic Authorization header containing shell metacharacters (&&, cmd /c, powershell.exe) — this is the RCE trigger ↗
- →Detect HTTP POST to /web/exploit.php — this endpoint is the dropped PHP backdoor used for post-exploitation command execution ↗
- →Alert on presence of file exploit.php under the GitStack gitphp web directory (c:\GitStack\gitphp\exploit.php) — indicates successful backdoor drop ↗
- →The Snort/ET rule (sid:2025830) matches on URI containing 'p=' and '.git&a=' together with a Basic Authorization header whose base64 value matches powershell.exe invocation patterns
- ·The exploit chain requires the web repository interface to be enabled; if it is already disabled, the attacker will attempt to enable it via an unauthenticated PUT — detection should cover both the pre-enabled and attacker-enabled states ↗
- ·The attacker may reuse an existing repository and existing user rather than creating new ones, so absence of POST to /rest/user/ or /rest/repository/ does not rule out exploitation ↗
- ·The Metasploit RCE module injects the payload into the HTTP Basic Auth password field; the payload length must not exceed 6110 characters or the module will abort ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS GitStack - Unsanitized Argument Remote Code Execution
suricata·2018-07-12
CVE-2018-5955 ET WEB_SPECIFIC_APPS GitStack - Unsanitized Argument Remote Code Execution
ET WEB_SPECIFIC_APPS GitStack - Unsanitized Argument Remote Code Execution
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GitStack - Unsanitized Argument Remote Code Execution"; flow:established,to_server; http.uri; content:"p="; content:".git&a="; fast_pattern; http.header; header_lowercase; content:"authorization|3a 20|Basic"; pcre:"/(?:Y21kIC9jIHBvd2Vyc2hlbGwuZXhl|NtZCAvYyBwb3dlcnNoZWxsLmV4Z|jbWQgL2MgcG93ZXJzaGVsbC5leG)/Ri"; reference:cve,2018-5955; reference:url,exploit-db.com/exploits/44356/; classtype:attempted-user; sid:2025830; rev:3; metadata:attack_target Web_Server, created_at 2018_07_12, cve CVE_2018_5955, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2024_04_20, mitre_tactic_id TA0001, mitre_tactic_name
Exploit-DB
GitStack - Unsanitized Argument Remote Code Execution (Metasploit)
exploitdb·2018-03-29
CVE-2018-5955 GitStack - Unsanitized Argument Remote Code Execution (Metasploit)
GitStack - Unsanitized Argument Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'GitStack Unsanitized Argument RCE',
'Description' => %q{
This module exploits a remote code execution vulnerability that
exists in GitStack through v2.3.10, caused by an unsanitized argument
being passed to an exec function call. This module has been tested
on GitStack v2.3.10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Kacper Szurek', # Vulnerability discovery and PoC
'Jacob Robles' # Metasploit module
],
'References' =>
[
['CVE', '2018-5955'],
['EDB', '43777'],
['EDB', '44044'],
['URL', 'https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html']
Exploit-DB
GitStack - Remote Code Execution
exploitdb·2018-01-15·CVSS 9.8
CVE-2018-5955 [CRITICAL] GitStack - Remote Code Execution
GitStack - Remote Code Execution
---
## Vulnerability Summary
The following advisory describes an unauthenticated action that allows a remote attacker to add a user to GitStack and then used to trigger an unauthenticated remote code execution.
GitStack is “a software that lets you setup your own private Git server for Windows. This means that you create a leading edge versioning system without any prior Git knowledge. GitStack also makes it super easy to secure and keep your server up to date. GitStack is built on the top of the genuine Git for Windows and is compatible with any other Git clients. GitStack is completely free for small teams.”
## Credit
An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure pr
Metasploit
GitStack Unauthenticated REST API Requests
metasploit
GitStack Unauthenticated REST API Requests
GitStack Unauthenticated REST API Requests
This modules exploits unauthenticated REST API requests in GitStack through v2.3.10. The module supports requests for listing users of the application and listing available repositories. Additionally, the module can create a user and add the user to the application's repositories. This module has been tested against GitStack v2.3.10.
Metasploit
GitStack Unsanitized Argument RCE
metasploit
GitStack Unsanitized Argument RCE
GitStack Unsanitized Argument RCE
This module exploits a remote code execution vulnerability that exists in GitStack through v2.3.10, caused by an unsanitized argument being passed to an exec function call. This module has been tested on GitStack v2.3.10.
No writeups or analysis indexed.
2018-01-21
Published