Who owned your code: Attack surfaces against Git web servers used by thousands of developers

We, Tencent Security Xuanwu Lab, have successfully carried out serveral remote attacks on the most popular git web servers in 2018.
This time we are willing to share our full, in-depth details on this research. In this presentation, we will explain the inner working of this technique. Multiple 0-days of different git web servers are included in this presentation.

We will also present an in-depth analysis of the attack surfaces in the most popular git web servers, including the Gitlab, Github enterprise, Gogs and Gitea.
For instance, we exploited a vulnerability on CI Runner to hack into the intranet of Gitlab; we have also found serveral remote code execution (RCE) and server-side request forgery (SSRF) vulnerabilities in Gogs and Gitea.

Finally, we will talk about two attack chains to successfully perform remote code execution on Gogs. To the best of our knowledge, this presentation will be the first to demonstrate these new attack surfaces of git web servers.

Junyu Zhou

Tencent Security Xuanwu Lab

Security Researcher in Tencent Security Xuanwu Lab, former CTF player from 0ops/A0E, is focusing on vulnerability research and web application security.

Wenxu Wu

Tencent Security Xuanwu Lab

Wenxu Wu (@Ma7h1as) is a security researcher at Xuanwu Lab of Tencent. He is passionate about web application and browser security , and has got 10+ CVEs of vulnerabilies in Google Chrome and Mozilla firefox since 2017. he is also a CTF player from L-Team / XDSEC

Social sharing