See how I discovered the Github Enterprise Edition SQL Injection Vulnerability and got a $ 5,000 bounty. GitHub Enterprise Edition software is a commercial application designed for corporate groups to deploy on-premise development services. Github Enterprise Edition integrates in a standard OVF format, is published as a virtual machine (VM) image and can be downloaded from the enterprise.github.com web site to download a 45-day trial version and deploy it in any virtual machine environment. After spending a week analyzing downloads of its beta software, I found one of the SQL injection vulnerabilities and got a $ 5000 vulnerability bonus.
The effect of the Github Enterprise VM environment installation is as follows:
Now that Github is set up, it's time for an in-depth analysis within the virtual machine system.
Environmental Security Analysis
Nmap found there are six open ports:
$ nmap -sT -vv -p 1-65535 192.168.187.145 ... PORT STATE SERVICE 22 / tcp open ssh 25 / tcp closed smtp 80 / tcp open http 122 / tcp open smakynet 443 / tcp open https 8080 / tcp closed http -proxy 8443 / tcp open https-alt 9418 / tcp open git
A preliminary analysis of these port uses is:
Port 22 / tcp and 9418 / tcp may be used for process haproxy forwarding backend service babeld;
Port 80 / tcp and 443 / tcp for Github primary services;
Port 122 / tcp for SSH service;
Port 8443 / tcp is used for GitHub's management console service.
Because GitHub's management console needs a password to log in, you can set a password and connect to the VM environment through the 122-port SSH service. After the SSH connection enters the system, check the system information and found that almost all of the Github service code is located in the directory / data /under:
# ls -al / data / total 92 drwxr-xr-x 23 root root 4096 Nov 29 12:54. drwxr-xr-x 27 root root 4096 Dec 28 19:18 .. drwxr-xr-x 4 git git 4096 Nov 29 12:54 alambic drwxr-xr-x 4 babeld babeld 4096 Nov 29 12:53 babeld drwxr-xr-x 4 git git 4096 Nov 29 12:54 codeload drwxr-xr-x 2 root root 4096 Nov 29 12:54 db drwxr-xr-x 2 root root 4096 Nov 29 12:52 enterprise drwxr-xr-x 4 enterprise-manage enterprise-manage 4096 Nov 29 12:53 enterprise-manage drwxr-xr-x 4 git git 4096 Nov 29 12:54 failbotd drwxr-xr-x 3 root root 4096 Nov 29 12:54 git-hooks drwxr-xr-x 4 git git 4096 Nov 29 12:53 github drwxr-xr-x 4 git git 4096 Nov 29 12:54 git-import drwxr-xr-x 4 git git 4096 Nov 29 12:54 gitmon drwxr-xr-x 4 git git 4096 Nov 29 12:54 gpgverify drwxr-xr-x 4 git git 4096 Nov 29 12:54 hookshot drwxr-xr-x 4 root root 4096 Nov 29 12:54 lariat drwxr-xr-x 4 root root 4096 Nov 29 12:54 longpoll drwxr-xr-x 4 git git 4096 Nov 29 12:54 mail-replies drwxr-xr-x 4 git git 4096 Nov 29 12:54 pages drwxr-xr-x 4 root root 40 96 Nov 29 12:54 pages-lua drwxr-xr-x 4 git git 4096 Nov 29 12:54 render lrwxrwxrwx 1 root root 23 Nov 29 12:52 repositories -> / data / user / repositories drwxr-xr-x 4 git git 4096 Nov 29 12:54 slumlord drwxr-xr-x 20 root root 4096 Dec 28 19:22 user
View the file source, looks like base64 encryption:
GitHub uses a custom library to encrypt and obfuscate its source code. If you search for ruby_concealer.so on Google, you will find that a cow has already analyzed this type of encryption by simply decrypting rb_f_eval with rb_f_puts in ruby_concealer.so. But we still hands-on look, open IDA Pro analysis:
You can see that the source uses the class Zlib :: Inflate :: inflate for data decompression and uses a plain text KEY as an XOR operation, however, it's funny that this plaintext KEY is actually Such:
This obfuscation is intended to discourage GitHub Enterprise customers from making modifications to the VM. (We know that this encryption is easy to crack, but its purpose is to prevent GitHub Enterprise users from freely making VM environments modify)
Oh, people dumbfounding ...
With this, we can construct the decryption script ourselves:
require 'zlib' key = "This obfuscation is intended to discourage GitHub Enterprise customers from making modifications to the VM. We know this 'encryption' is easily broken." def decrypt (s) i, plaintext = 0, '' Zlib :: %) 1 end plaintext end content = File.open (ARGV [0], "r"). Read content.sub!% Q (require "ruby_concealer.so" \ n__ruby_concealer__), "decrypt" plaintext = eval content puts plaintext
Code analysis
After the program source code is decrypted, let's try code auditing:
$ cloc / data / 81267 text files. 47503 unique files. 24550 files ignored. http://cloc.sourceforge.net v 1.60 T = 348.06 s (103.5 files / s, 15548.9 lines / s) ------- -------------------------------------------------- -------------------------- Language files blank comment code ------------------- -------------------------------------------------- -------------- Ruby 25854 359545 437125 1838503 Javascript 4351 109994 105296 881416 YAML 600 1349 3214 289039 Python 1108 44862 64025 180400 XML 121 6492 3223 125556 C 444 30903 23966 123938 Bourne Shell 852 14490 16417 87477 HTML 636 24760 2001 82526 C ++ 184 8370 8890 79139 C / C ++ Header 428 11679 22773 72226 Java 198 6665 14303 45187 CSS 458 4641 3092 44813 Bourne Again Shell 142 6196 9006 35106 m4 21 3259 369 29433 ... $ ./bin/rake about About your application's environment Ruby version 2.1.7 (x86_64-linux) RubyGems version 2.2.5 Rack version 1.6.4 Rails version 3.2.22.4 JavaScript Runtime Node.js (V8) Active Record version 3.2.22.4 Action Pack ve rsion 3.2.22.4 Action Mailer version 3.2.22.4 Active Support version 3.2.22.4 Middleware GitHub :: DefaultRoleMiddleware, Rack :: Runtime, Rack :: MethodOverride, ActionDispatch :: RequestId, Rails :: Rack :: Logger, ActionDispatch :: ShowExceptions, ActionDispatch :: DebugExceptions, ActionDispatch :: Callbacks, ActiveRecord :: ConnectionAdapters :: ConnectionManagement, ActionDispatch :: Cookies, ActionDispatch :: Session :: CookieStore, ActionDispatch :: Flash, ActionDispatch :: ParamsParser, ActionDispatch :: Head, Rack :: ConditionalGet , Rack :: ETag, ActionDispatch :: BestStandardsSupport Application root / data / github / 9fcdcc8 Environment production Database adapter githubmysql2 Database schema version 20161003225024
From the above analysis we can see most of the Ruby code, and can be found: