Direkt zum Inhalt

AIT-SA-20190930-01

Privilege Escalation via Logrotate in Gitlab Omnibus

Identifier: AIT-SA-20190930-01
Target: GitLab Omnibus
Vendor: GitLab
Version: 7.4 through 12.2.1
Fixed in Version: 12.2.3, 12.1.8 and 12.0.8
CVE: CVE-2019-15741
Accessibility: Local
Severity: Low
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Summary

Omnibus GitLab is a way to package different services and tools required to run GitLab, so that most users can install it without laborious configuration.

Vulnerability Description

GitLab Omnibus sets the ownership of the log directory to the system-user "git", which might let local users obtain root access because of unsafe interaction with logrotate.
User “git” owns the log directory /var/log/gitlab:

ERROR: Content Element with uid "45102" and type "ar_codeelem" has no rendering definition!

Log files rotate once a day (or any other frequency if configured) by logrotate as user root. The configuration does not use the “su” directive:

ERROR: Content Element with uid "45103" and type "ar_codeelem" has no rendering definition!

Due to logrotate is prone to a race-condition it is possible for user "git" to replace the
directory /var/log/gitlab/gitlab-workhorse/ with a symbolic link to any
directory(for example /etc/bash_completion.d). Logrotate will place
files as user “root” into /etc/bash_completition.d and set the owner of the file to "git".
An attacker could simply place a reverse-shell into this file. As soon as root logs in, a reverse
root-shell will be executed.

Details of the race-condition in logrotate can be found at:

Proof of Concept

The following example illustrates how an attacker who already gained a shell as user “git”, can elevate his privileges to “root”. After downloading and compiling, the exploit gets executed and waits until the next daily run of logrotate.  If the rotation of the log file succeeds, a new file that contains the reverse shell payload, will be written into /etc/bash_completition.d/ with owner “git”. As soon as root logs in, the reverse shell gets executed and opens a shell on the attackers netcat listener:

ERROR: Content Element with uid "45098" and type "ar_codeelem" has no rendering definition!

Vulnerable Versions

7.4 through 12.2.1

Impact

An attacker who already achieved a valid shell as user “git” could elevate the privileges to “root”. The fact that another exploit is needed to get a shell lowers the severity from high to low.

Solution

Update to GitLab Security Release: 12.2.3, 12.1.8, and 12.0.8

References:

Vendor Contact Timeline

2019-05-12 Contacting vendor through HackerOne
2019-05-31 GitLab acknowledges the vulnerability
2019-08-22 Notification from GitLab about the release that includes a patch
2019-08-30 GitLab changed the severity from high to low and released an update that fixed the problem
2019-09-30 Public disclosure

 

Advisory URL

http://www.ait.ac.at/ait-sa-20190930-01-privilege-escalation-via-logrotate-in-gitlab-omnibus