Gitlab servers are being exploited in DDoS attacks in excess of 1 Tbps

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
  • exiftool

    ExifTool meta information reader/writer

    ExifTool is the tool to extract and write and fix metadata, bar none. I haven't seen anything that even comes remotely close at how good it is at handling just jpeg metadata (exif, XMP, IPTC, MarkerNotes, and all the fine bugs every vendor has when creating these), let alone other formats too.

    ExifTool is essentially for (image) metadata what ffmpeg is for video.

    It isn't a hack job, but it started out as one, like so very many other things. Version 1.00 was released end of 2003, while the problematic code was added in 2008. Mind you, the problematic code does not just eval whatever it sees, it tries to make sure the input isn't dangerous first. That check failed spectacularly, defeated by a newline combined with how '$' in perl regex works without any special flags[0]. Using eval was a bad choice to begin with (but I am told something you would commonly see in perl software of the time, yes, even in 2008 still), it was the lazy choice of re-using perl to unescape C-strings instead of rolling your own unescaping code.

    So what do you suggest? Use libexif[1]? Exiv2[2]? Where would I run it? Can you suggest any operating system that never had a "stupid" RCE?

    >It appears to be a complete piece of shit.

    Let's see your code then. All the code you ever wrote that is possibility still in use somewhere. So if you never ever fucked up or got lazy, feel free to cast the first stone, otherwise I would suggest you dial down your rhetoric when it comes to taking massive steaming piles on other people's work.

    Yes, Phil Harvey had a "WTF?!"-class security bug here[4], shit happens, "goto fail", let me deRail your yaml and the Debian random number of the day is: 6.

    He patched it promptly compared to other vendors and projects (public release on April 13th, while April 7th was the initial bug report, to Gitlab not ExifTool, which Gitlab then passed along[3]).

    You can blame him for the bug, you can blame Gitlab for not running exiftool in some sandbox. But that half the gitlab instances remain unpatched some 7 months after patches became available, that you'll have to put on the people running these instances.

    [0] https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca9...

    [1] http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libexif

    [2] http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=exiv2

    [3] https://hackerone.com/reports/1154542

    [4] I cannot be sure if he wrote it, or if somebody else contributed it, but at the very least he didn't catch it during review. Looks like he wrote it, tho.

  • gitlab

    It doesn't help if the file is not executable, but the parser executes it on its own:

    > When uploading image files, GitLab Workhorse passes any files with the extensions jpg|jpeg|tiff through to ExifTool to remove any non-whitelisted tags.

    > An issue with this is that ExifTool will ignore the file extension and try to determine what the file is based on the content, allowing for any of the supported parsers to be hit instead of just JPEG and TIFF by just renaming the uploaded file.

    > One of the supported formats is DjVu. When parsing the DjVu annotation, the tokens are evaled to "convert C escape sequences".

    https://gitlab.com/gitlab-org/gitlab/-/issues/327121

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  • pocorgtfo

    a "Proof of Concept or GTFO" mirror with an extensive index with also whole issues or individual articles as clean PDFs.

  • The first step is always "don't do it at all". Here is the original commit:

    https://gitlab.com/gitlab-org/gitlab-workhorse/-/commit/8656...

    It's hard to find a linked detailed requirement for this. I would certainly prefer if GitLab didn't mangle uploaded images (not least if I'm working on an EXIF library..).

  • Judge0 API

    🔥 The most advanced open-source online code execution system in the world.

  • Metasploit

    Metasploit Framework

    Full disclosure, I wrote both of these.

    The following describes the entire unauthenticated attack:

    https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapi...

    And, if you like that sort of thing, there is a metasploit module you can use to reproduce the unauthenticated attack:

    https://github.com/rapid7/metasploit-framework/commit/6f4aa5...

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts