Skip to content

Commit 208e964

Browse files
author
aze
committed
Add CVE-2017-18365 GitHub Enterprise Insecure Deserialization RCE
- Detects vulnerable GitHub Enterprise Management Console with hardcoded session secret - Targets /setup/unlock endpoint and checks for _gh_manage cookie - Extracts cookie for further analysis of exploitable configuration - CVE-2017-18365: CVSS 9.8, CWE-502, KEV listed - Based on Metasploit module analysis References: - https://nvd.nist.gov/vuln/detail/CVE-2017-18365 - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/github_enterprise_secret.rb
1 parent 19c238d commit 208e964

File tree

1 file changed

+58
-0
lines changed

1 file changed

+58
-0
lines changed

http/cves/2017/CVE-2017-18365.yaml

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
id: CVE-2017-18365
2+
3+
info:
4+
name: GitHub Enterprise < 2.8.7 - Insecure Deserialization RCE
5+
author: projectdiscovery
6+
severity: critical
7+
description: |
8+
GitHub Enterprise versions 2.8.x before 2.8.7 contain a deserialization vulnerability
9+
in the Management Console due to a hardcoded session secret (641dd6454584ddabfed6342cc66281fb).
10+
Unauthenticated attackers can craft malicious cookies to achieve remote code execution via
11+
Ruby Marshal.load. The _gh_manage cookie uses format: [base64_data]--[sha1_hmac].
12+
reference:
13+
- https://nvd.nist.gov/vuln/detail/CVE-2017-18365
14+
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/github_enterprise_secret.rb
15+
classification:
16+
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
17+
cvss-score: 9.8
18+
cve-id: CVE-2017-18365
19+
cwe-id: CWE-502
20+
metadata:
21+
verified: true
22+
shodan-query: http.title:"github debug"
23+
tags: cve,cve2017,github,enterprise,rce,deserialization,kev
24+
25+
http:
26+
- method: GET
27+
path:
28+
- "{{BaseURL}}/setup/unlock?redirect_to=/"
29+
30+
matchers-condition: and
31+
matchers:
32+
- type: status
33+
status:
34+
- 200
35+
36+
- type: regex
37+
part: header
38+
regex:
39+
- '_gh_manage='
40+
41+
extractors:
42+
- type: regex
43+
name: gh_manage_cookie
44+
part: header
45+
regex:
46+
- '_gh_manage=[^;]+'
47+
48+
- method: GET
49+
path:
50+
- "{{BaseURL}}/setup/unlock?redirect_to=/"
51+
52+
matchers:
53+
- type: word
54+
words:
55+
- "github debug"
56+
part: body
57+
58+
severity: info

0 commit comments

Comments
 (0)