Authenticated RCE via Argument Injection in Gogs (NOT FIXED)

Key Points:

• A critical argument injection vulnerability (CWE-88) in Gogs allows authenticated users to achieve remote code execution (RCE) by creating a pull request with a malicious branch name that injects the --exec flag into git rebase.
• The vulnerability impacts all supported platforms (Linux, macOS, Windows) and can lead to server compromise, credential theft, and unauthorized modifications of repositories. No patch is available at this time.
• Recommended actions include restricting user registration and repository creation, auditing rebase merge settings, and monitoring for indicators of compromise in server logs.

Technical Details: The vulnerability is tracked as CVE-2024-39930 and allows attackers to execute arbitrary commands on the server process user without requiring admin privileges. Exploitation can be fully automated using a Metasploit module.

MITRE ATT&CK Techniques:

• T1203 - Exploitation for Client Execution (Execution)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)

IOCs Mentioned:

• Error log entries matching the pattern: [E] ...merge: git checkout '--exec=<...>': exit status 128 - error: unknown option 'exec=<...>'
• Malicious branch names starting with --

This summary provides actionable intelligence regarding the Gogs vulnerability, emphasizing immediate mitigations to prevent exploitation.