Vulnerability: Gitlist 0.4.0 webapp with RCE

Gemfile.lock

@@ -41,7 +41,11 @@ GEM
       json (~> 1.4)
     rsync (1.0.9)
     semantic_puppet (0.1.3)
+    spidr (0.6.0)
+      nokogiri (~> 1.3)
     thor (0.19.1)
+    wordlist (0.1.1)
+      spidr (~> 0.2)
     yard (0.8.7.6)
 
 PLATFORMS
@@ -54,7 +58,8 @@ DEPENDENCIES
   puppet
   rake
   rdoc
+  wordlist
   yard
 
 BUNDLED WITH
-   1.11.2
+   1.12.5

modules/services/unix/http/apache/manifests/params.pp

@@ -203,7 +203,7 @@ class apache::params inherits ::apache::version {
     $logroot             = '/var/log/apache2'
     $logroot_mode        = undef
     $lib_path            = '/usr/lib/apache2/modules'
-    $mpm_module          = 'worker'
+    $mpm_module          = 'prefork'
     $default_ssl_cert    = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
     $default_ssl_key     = '/etc/ssl/private/ssl-cert-snakeoil.key'
     $ssl_certs_dir       = '/etc/ssl/certs'

modules/services/unix/http/apache/manifests/vhost.pp

@@ -37,7 +37,7 @@ define apache::vhost(
   $servername                  = $name,
   $serveraliases               = [],
   $options                     = ['Indexes','FollowSymLinks','MultiViews'],
-  $override                    = ['None'],
+  $override                    = ['All'],
   $directoryindex              = '',
   $vhost_name                  = '*',
   $logroot                     = $::apache::logroot,

modules/vulnerabilities/unix/webapp/gitlist_040/gitlist_040.pp

@@ -0,0 +1 @@
+require gitlist_040

modules/vulnerabilities/unix/webapp/gitlist_040/manifests/configure.pp

@@ -0,0 +1,29 @@
+class gitlist_040::configure {
+
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  # Create /home/git/repositories
+  file { ['/home/git', '/home/git/repositories']:
+    ensure => directory,
+    owner  => 'www-data',
+  }
+
+  # Cloning the secgen repo as a repo with activity is required
+  # if this adds too much time due to size we can replace with another repo later
+  exec { 'clone-secgen-repo':
+    cwd     => '/home/git/repositories/',
+    command => 'git clone https://github.com/cliffe/secgen',
+  }
+
+  include ::apache
+  include ::apache::mod::rewrite
+  include ::apache::mod::php
+
+  ::apache::vhost { 'www-gitlist':
+    port            => '80',
+    docroot         => '/var/www/gitlist',
+    override        => 'All',
+    redirect_source =>'/',
+    redirect_dest   => '/gitlist/',
+  }
+}

modules/vulnerabilities/unix/webapp/gitlist_040/manifests/init.pp

@@ -0,0 +1,4 @@
+class gitlist_040{
+  require gitlist_040::install
+  require gitlist_040::configure
+}

modules/vulnerabilities/unix/webapp/gitlist_040/manifests/install.pp

@@ -0,0 +1,32 @@
+class gitlist_040::install {
+
+  Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
+
+  package { ['git', 'php5']:
+    ensure => installed,
+  }
+
+  $archive = 'gitlist-0.4.0.tar.gz'
+
+  file { "/usr/local/src/$archive":
+    ensure => file,
+    source => "puppet:///modules/gitlist_040/$archive",
+  }
+
+  exec { 'unpack-gitlist':
+    cwd => '/usr/local/src',
+    command => "tar -xzf $archive -C /var/www",
+  }
+
+  exec { 'copy-ini-file':
+    require => Exec['unpack-gitlist'],
+    command => 'cp /var/www/gitlist/config.ini-example /var/www/gitlist/config.ini',
+  }
+
+  file { '/var/www/gitlist/cache':
+    require => Exec['unpack-gitlist'],
+    ensure => directory,
+    mode => '777',
+  }
+
+}

modules/vulnerabilities/unix/webapp/gitlist_040/secgen_metadata.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+  <name>Gitlist 0.4.0 RCE</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>
+    Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file
+    name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to
+    blame/master/, master/, and stats/master/.
+  </description>
+
+  <type>webapp</type>
+  <privilege>user</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+
+  <!--optional vulnerability details-->
+  <difficulty>low</difficulty>
+  <cve>CVE-2014-4511</cve>
+
+  <cvss_base_score>7.5</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/Au:N/C:P/I:P/A:P</cvss_vector>
+
+  <!--optional hints-->
+  <msf_module>exploit/linux/http/gitlist_exec</msf_module>
+  <hint>Visit the webapp in a browser at: ip:80/gitlist </hint>
+
+  <conflict>
+    <type>webapp</type>
+  </conflict>
+
+  <requires>
+    <module_path>modules/services/unix/http/apache</module_path>
+  </requires>
+
+</vulnerability>

scenarios/simple_examples/gitlist_webapp_vulnerability.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <system>
+    <system_name>file_server</system_name>
+    <base platform="linux"/>
+
+    <vulnerability module_path=".*gitlist_040"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>