Found a Gitlab instance on a penetration test or red teaming engagement? If the version is <12.9.1, chances are you can get (unauthenticated) RCE by chaining some under-the-radar vulnerabilities! Info in thread 👇
#infosec #redteam #bugbountytips #hacking #gitlab

The initial exploit is CVE-2020-10535, which allows you to register an account without verification on Gitlab instances with an email domain whitelist in place (@corp.com). You can then confirm the account after changing the email to an address of your choosing 😎

The second exploit is CVE-2020-10977, an arbitrary file read vulnerability when moving issues. The vulnerability is disclosed here: hackerone.com/reports/827052. Using this vulnerability, you can read the server's 'secret_key_base', required for Vuln #3.

The third exploit (and probably the coolest one) is a code execution vulnerability which occurs when parsing cookies signed with the secret key. It's described here: robertheaton.com/2013/07/22/how…, and weaponized in the mentioned HackerOne report of the second vuln.

All in all, this combination of vulns can lead to unauthenticated RCE (and thus, full compromise Gitlab application, source code, CI/CD infra, secrets, etc.) of unpatched servers. I've exploited the full chain in my lab in under 10 minutes. Happy ethical hacking! 🔴💻