add cve-2021-22205

[rucnyz]

I use a sleep(180) to wait the gitlab for setup

[olegbck]

It fails to run:

2024-11-21 11:41:35,798 - INFO - [ubuntu] Executing 'python /opt/CVE-2021-22205/poc.py http://localhost:8080 "touch /tmp/success"'...
2024-11-21 11:44:38,346 - CRITICAL - [main] Command failed: <UnexpectedExit: cmd='python /opt/CVE-2021-22205/poc.py http://localhost:8080 "touch /tmp/success"' exited=1>

[olegbck]

Use the ubuntu2204-ubuntu2204 blueprint. Install and run the Docker containers on ubuntu1, copy the exploit to ubuntu2, run the exploit on ubuntu2 that would attack ubuntu1. Make sure that router_raw.pcap captures the network traffic. The goal is to get the traffic!

[olegbck]

Please download the Docker image and keep it in the data folder. Install it from the file.

[olegbck]

Do we need this specific version of redis? If we do, then please download the Docker image and keep it in the data folder. Install it from the file.

[olegbck]

I'm asking once again: please either download this specific version of redis and install it from file, or pull the latest version of redis.

[olegbck]

Use community.docker.docker_compose instead of shell commands

[olegbck]

Where pip is used? I don't see that.

[olegbck]

I'd remove that. Let's keep it clean, without debugging commands.

[olegbck]

In the new version of cvex.yml based off ubuntu2204-ubuntu2204 please also run ls /tmp/success on ubuntu1. cvex.yml will look like this:

ubuntu2:
...
  command: "python /opt/CVE-2021-22205/poc.py http://localhost:8080 \"touch /tmp/success\""
...
ubuntu1:
...
  command: ls /tmp/success

This way we can verify that the file has been successfully created.

[rucnyz]

Hi Oleg,
I added a second Ubuntu and added a local image. Due to some environmental issues, I spent several hours exploring the community Docker but still failed. I successfully reproduced the exploit locally, as shown in the screenshot.

[olegbck]

Reliance on sleeps like that is a poor design choice unless there is absolutely no way around it. Is there a way to check that GitLab is ready to be used? Please move this check to ubuntu1.yml.

[olegbck]

python does not exist on ubuntu1, therefore this command will always fail to execute. I was able to execute this script with python3:

vagrant@ubuntu2:~$ python3 /opt/CVE-2021-22205/poc.py http://ubuntu1:8080 "touch /tmp/success"
finish test

But then when I execute ls /tmp/success on ubuntu1, it shows me that /tmp/success does not exist. Looks like the exploit doesn't work.

[olegbck]

I'm asking once again: please either download this specific version of redis and install it from file, or pull the latest version of redis.

[olegbck]

Please use built-in Docker commands: https://docs.ansible.com/ansible/latest/collections/community/docker/index.html

[olegbck]

Please use built-in Docker commands: https://docs.ansible.com/ansible/latest/collections/community/docker/index.html

[rucnyz]

@olegbck I've noticed that the key to whether the exploit succeeds depends on whether the GitLab service can start normally, and this is quite random - whether it starts within a fixed time and whether it starts correctly are both very difficult to determine. Even worse, I am unable to reproduce this exploit locally now, despite not having made any modifications.

I spent few hours and finally decided to give up and switch to CVE-2012-2122 instead. #42