GitLab CVE-2022-1162 硬编码漏洞分析与复现指南<\/h1>

漏洞概述<\/h2>

漏洞描述<\/h3>
GitLab CE\/EE 版本14.7(14.7.7之前)、14.8(14.8.5之前)和14.9(14.9.2之前)中存在一个严重安全漏洞，当使用OmniAuth提供商(如OAuth、LDAP、SAML)注册账户时，系统会为这些账户设置硬编码密码。攻击者可利用此漏洞潜在控制这些账户。<\/p>

受影响版本<\/h3>

Gitlab CE\/EE >=14.7,<14.7.7<\/li>
Gitlab CE\/EE >=14.8,<14.8.5<\/li>

Gitlab CE\/EE >=14.9,<14.9.2<\/li> <\/ul>

环境搭建<\/h2>

准备工作<\/h3>

选择Docker镜像：gitlab\/gitlab-ce:14.7.4-ce.0<\/code><\/li>

创建docker-compose.yml文件：<\/li>
<\/ol>
version<\/span>: '3'<\/span>
<\/span><\/span>services<\/span>:
<\/span><\/span>  gitlab<\/span>:
<\/span><\/span>    image<\/span>: 'gitlab\/gitlab-ce:14.7.4-ce.0'<\/span>
<\/span><\/span>    container_name<\/span>: 'gitlab'<\/span>
<\/span><\/span>    restart<\/span>: always<\/span>
<\/span><\/span>    privileged<\/span>: true<\/span>
<\/span><\/span>    hostname<\/span>: 'gitlab'<\/span>
<\/span><\/span>    environment<\/span>:
<\/span><\/span>      TZ<\/span>: 'Asia\/Shanghai'<\/span>
<\/span><\/span>    ports<\/span>:
<\/span><\/span>      - '8080:80'<\/span>
<\/span><\/span>    volumes<\/span>:
<\/span><\/span>      - .\/config:\/etc\/gitlab<\/span>
<\/span><\/span>      - .\/data:\/var\/opt\/gitlab<\/span>
<\/span><\/span>      - .\/logs:\/var\/log\/gitlab<\/span>
<\/span><\/span><\/code><\/pre>
启动容器：docker-compose up -d<\/code><\/li>
<\/ol>
重要目录说明<\/h3>

.\/config<\/code>：包含GitLab配置文件gitlab.rb<\/code><\/li>
.\/data<\/code>：GitLab数据存储目录<\/li>
.\/logs<\/code>：GitLab日志目录<\/li>
<\/ul>
GitHub OAuth应用配置<\/h3>


在GitHub创建新的OAuth应用：<\/p>

Application name：任意名称<\/li>
Homepage URL：http:\/\/127.0.0.1:8080<\/code><\/li>
Authorization callback URL：http:\/\/127.0.0.1:8080\/users\/auth\/github\/callback<\/code><\/li>
<\/ul>
<\/li>

获取Client ID和Client Secret<\/p>
<\/li>
<\/ol>
GitLab OAuth配置<\/h3>
编辑\/config\/gitlab.rb<\/code>文件，添加以下内容：<\/p>
### OmniAuth Settings<\/span>
<\/span><\/span>gitlab_rails[<\/span>'omniauth_allow_single_sign_on'<\/span>]<\/span> =<\/span> [<\/span>'github'<\/span>]<\/span>
<\/span><\/span>gitlab_rails[<\/span>'omniauth_auto_link_ldap_user'<\/span>]<\/span> =<\/span> true<\/span>
<\/span><\/span>gitlab_rails[<\/span>'omniauth_block_auto_created_users'<\/span>]<\/span> =<\/span> true<\/span>
<\/span><\/span>gitlab_rails[<\/span>'omniauth_providers'<\/span>]<\/span> =<\/span> [<\/span>
<\/span><\/span>  {
<\/span><\/span>    name: "github"<\/span>,
<\/span><\/span>    app_id<\/span>: "APP_ID"<\/span>,  # 替换为实际Client ID<\/span>
<\/span><\/span>    app_secret<\/span>: "APP_SECRET"<\/span>,  # 替换为实际Client Secret<\/span>
<\/span><\/span>    args<\/span>: { scope<\/span>: "user:email"<\/span> }
<\/span><\/span>  }
<\/span><\/span>]<\/span>
<\/span><\/span><\/code><\/pre>漏洞原理分析<\/h2>
OAuth2基础<\/h3>


传统身份验证模型的问题：<\/p>

第三方应用存储明文凭证<\/li>
泄露会导致用户密码及所有相关数据受损<\/li>
<\/ul>
<\/li>

OAuth2解决方案：<\/p>

引入授权层分离客户端和资源所有者角色<\/li>
使用访问令牌而非资源所有者凭证<\/li>
<\/ul>
<\/li>

OAuth2数据流程：<\/p>

用户授权客户端<\/li>
客户端获取授权码<\/li>
客户端使用授权码获取访问令牌<\/li>
客户端使用令牌访问资源<\/li>
<\/ul>
<\/li>
<\/ol>
GitHub OAuth Web流程<\/h3>

用户被重定向请求GitHub身份验证<\/li>
用户被GitHub重定向回站点<\/li>
应用使用访问令牌访问API<\/li>
<\/ol>
漏洞核心<\/h3>
在password.rb<\/code>中定义了默认密码123qweQWE!@#000000000<\/code>，当使用第三方登录时，系统会自动创建与GitHub同名的账户并设置此硬编码密码。<\/p>
漏洞复现步骤<\/h2>


访问GitLab登录页面(http:\/\/127.0.0.1:8080<\/code>)，选择GitHub登录方式<\/p>
<\/li>

GitLab会向http:\/\/127.0.0.1:8080\/users\/auth\/github<\/code>发起POST请求<\/p>
<\/li>

重定向到GitHub授权页面(https:\/\/github.com\/login\/oauth\/authorize<\/code>)，携带参数：<\/p>

client_id<\/code>：GitLab配置中的app_id<\/li>
redirect_uri<\/code>：授权后重定向地址<\/li>
response_type<\/code>：固定为"code"<\/li>
scope<\/code>：user:email<\/code><\/li>
state<\/code>：随机字符串(防CSRF)<\/li>
<\/ul>
<\/li>

处理redirect_uri不匹配问题：<\/p>

默认GitLab生成的redirect_uri为http:\/\/gitlab\/users\/auth\/github\/callback<\/code><\/li>
需要将GitHub OAuth App的Callback URL修改为此值<\/li>
<\/ul>
<\/li>

授权后跳转到http:\/\/gitlab\/users\/auth\/github\/callback?code=xxxx&state=xxxx<\/code>，但会出现502错误<\/p>
<\/li>

手动修改URL为http:\/\/127.0.0.1:8080\/users\/auth\/github\/callback?code=xxxx&state=xxxx<\/code><\/p>
<\/li>

此时会出现账户待批准提示："您的帐户正在等待您的GitLab管理员的批准"<\/p>
<\/li>

使用root账户登录GitLab，激活新创建的用户<\/p>
<\/li>

测试使用硬编码密码123qweQWE!@#000000000<\/code>登录新账户<\/p>
<\/li>
<\/ol>
修复建议<\/h2>


升级到安全版本：<\/p>

14.7.7及以上<\/li>
14.8.5及以上<\/li>
14.9.2及以上<\/li>
<\/ul>
<\/li>

升级前确保做好数据备份<\/p>
<\/li>
<\/ol>
参考资源<\/h2>

GitLab 14.9.2安全发布公告<\/a><\/li>
GitHub OAuth应用授权文档<\/a><\/li>
RFC6749 OAuth2规范<\/a><\/li>
<\/ul>

GitLab CVE-2022-1162 硬编码漏洞分析与复现指南<\/h1>

漏洞概述<\/h2>

环境搭建<\/h2>

漏洞原理分析<\/h2>

漏洞核心<\/h3> 在password.rb<\/code>中定义了默认密码123qweQWE!@#000000000<\/code>，当使用第三方登录时，系统会自动创建与GitHub同名的账户并设置此硬编码密码。<\/p>

参考资源<\/h2> GitLab 14.9.2安全发布公告<\/a><\/li> GitHub OAuth应用授权文档<\/a><\/li> RFC6749 OAuth2规范<\/a><\/li> <\/ul>

漏洞核心<\/h3>
在`password.rb<\/code>中定义了默认密码123qweQWE!@#000000000<\/code>，当使用第三方登录时，系统会自动创建与GitHub同名的账户并设置此硬编码密码。<\/p>`

参考资源<\/h2>

GitLab 14.9.2安全发布公告<\/a><\/li>
GitHub OAuth应用授权文档<\/a><\/li>
RFC6749 OAuth2规范<\/a><\/li> <\/ul>