CVE-2020-15867
published 2020-10-16CVE-2020-15867: The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook…
PriorityP271high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
87.53%
99.7th percentile
The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. There can be a privilege escalation if access to this hook feature is granted to a user who does not have administrative privileges. NOTE: because this is mentioned in the documentation but not in the UI, it could be considered a "Product UI does not Warn User of Unsafe Actions" issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gogs | gogs | 0.5.5 – 0.12.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /user/login HTTP/1.1
path/{{username}}/{{randstr}}/settings/hooks/git/post-receive
command#!/bin/bash\ncurl {{interactsh-url}}
- →Exploitation involves a POST request to the git post-receive hook endpoint path matching the pattern /<user>/<repo>/settings/hooks/git/post-receive — monitor for authenticated POST requests to this path on Gogs instances.
- →The exploit flow creates a new repository, sets a post-receive git hook with a shell payload, then commits a dummy file to trigger execution — detect rapid repo creation followed by hook configuration and a commit from the same session. ↗
- →The Nuclei template fingerprints Gogs by checking the response body for the string 'content="Gogs' — use this as a passive detection signal for exposed Gogs instances.
- →Shodan/FOFA exposure queries for vulnerable Gogs instances: search for cpe:"cpe:2.3:a:gogs:gogs" or title="sign in - gogs" to identify internet-exposed targets.
- →In the wild exploitation (JINX-0132 campaign) leverages this git-hooks RCE on Gitea/Gogs to deploy XMRig cryptominer; post-exploitation indicator is execution of xmrig connecting to pool.supportxmr.com:443. ↗
- →Attacker-controlled Monero wallet address used in wild exploitation: 468VEByGGFQSN2bJG99ovhe5SG9SLxLAA9e2s7tWFxvBM33FAEP4JbwYHEeXexq8djYpDEHg9Jq6eGF3rREnAAc4UkjLd3E — flag any outbound connections referencing this wallet. ↗
- ·The vulnerability is only exploitable when a user has been granted git hook creation permissions. For non-admin users, an administrator must explicitly grant this permission; admin users have it by default. ↗
- ·For Gitea (the Gogs fork), the risk is mitigated in version 1.13+ where DISABLE_GIT_HOOKS defaults to true — however, an admin manually re-enabling hooks restores the attack surface. ↗
- ·The Metasploit module notes the Windows version of Gogs could not be tested as the git hook feature appears broken on Windows, limiting confirmed RCE to Linux deployments. ↗
- ·The Monero wallet address IOC is brittle — the threat actor can trivially replace it in future campaign iterations. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
Gogs 0.5.5 - 0.12.2 - Remote Code Execution
nuclei·CVSS 7.2
CVE-2020-15867 [HIGH] Gogs 0.5.5 - 0.12.2 - Remote Code Execution
Gogs 0.5.5 - 0.12.2 - Remote Code Execution
Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administrative privileges. NOTE: Since this is mentioned in the documentation but not in the UI, it could be considered a "product UI does not warn user of unsafe actions" issue.
Template:
id: CVE-2020-15867
info:
name: Gogs 0.5.5 - 0.12.2 - Remote Code Execution
author: theamanrawat
severity: high
description: |
Gogs 0.5.5 through 0.12.2 is susceptible to authenticated remote code execution via the git hooks functionality. There can be a privilege escalation if access to this feature is granted to a user who does not have administr
Metasploit
Gogs Git Hooks Remote Code Execution
metasploit
Gogs Git Hooks Remote Code Execution
Gogs Git Hooks Remote Code Execution
This module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gogs. This is possible when the current user is allowed to create `git hooks`, which is the default for administrative users. For non-administrative users, the permission needs to be specifically granted by an administrator. To achieve code execution, the module authenticates to the Gogs web interface, creates a temporary repository, sets a `post-receive` git hook with the payload and creates a dummy file in the repository. This last action will trigger the git hook and execute the payload. Everything is done through the web interface. No mitigation has been implemented so far (latest stable version is 0.12.3). This module has been
http://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.htmlhttps://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/http://packetstormsecurity.com/files/162123/Gogs-Git-Hooks-Remote-Code-Execution.htmlhttps://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-3-schwachstelle-in-gitea-1125-und-gogs-0122-ermoeglicht-ausfuehrung-von-code-nach-authent/
2020-10-16
Published