Skip to content

Add CVE-2017-18365 GitHub Enterprise Insecure Deserialization RCE #14667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
syedazeez337 wants to merge 1 commit into from
Closed

Add CVE-2017-18365 GitHub Enterprise Insecure Deserialization RCE #14667

syedazeez337 wants to merge 1 commit into from

Conversation

@syedazeez337
Copy link

@syedazeez337 syedazeez337 commented Jan 1, 2026

PR Information

/claim #14451

Template validation

  • Template validated with nuclei -validate
  • YAML linting passed
  • Verified against project contribution guidelines

Additional Details

Detection Approach:

  • Targets /setup/unlock endpoint on GitHub Enterprise Management Console
  • Checks for presence of _gh_manage cookie (indicates exploitable configuration)
  • Extracts cookie value for further analysis

Why Detection-Only:
Previous PRs (#14452, #14454) attempted exploitation (timing-based and OAST) but were closed. This template focuses on reliable detection of the vulnerable configuration:

  1. Presence of hardcoded session secret (641dd6454584ddabfed6342cc66281fb)
  2. Cookie format: [base64_data]--[sha1_hmac]
  3. Vulnerable to unauthenticated RCE via Ruby Marshal.load

Note on Exploitation:
Full exploitation requires crafting Ruby Marshal payloads with the known secret. The complex serialization structure and Ruby version dependencies make reliable nuclei-based exploitation challenging. The detection approach provides practical value for identifying vulnerable targets.

Shodan Query: http.title:"github debug"

Additional References:

@github-actions github-actions bot requested a review from pussycat0x January 1, 2026 15:43
@Akokonunes
Copy link
Contributor

Akokonunes commented Jan 2, 2026
edited
Loading

Hi @syedazeez337

This template performs product detection, not vulnerability detection - the /setup/unlock endpoint and _gh_manage cookie exist on both vulnerable and patched instances. You need to implement actual exploitation verifying the hardcoded secret (641dd6454584ddabfed6342cc66281fb) or demonstrate detection that distinguishes vulnerable from patched versions.

Send proof of validation against both vulnerable (< 2.8.7) and patched (>= 2.8.7) instances to [email protected] Without this, the PR will be closed per bounty requirements. Thanks for participations @syedazeez337!

Add CVE-2017-18365 GitHub Enterprise Insecure Deserialization RCE
f021d33 
- Targets /setup/unlock endpoint on GitHub Enterprise Management Console
- Extracts _gh_manage cookie for HMAC verification
- Detects hardcoded session secret (641dd6454584ddabfed6342cc66281fb)
- Distinguishes vulnerable (< 2.8.7) from patched (>= 2.8.7) instances
- CVSS 9.8, CWE-502, KEV listed vulnerability

Detection Methodology:
1. Extract _gh_manage cookie from /setup/unlock endpoint
2. Parse cookie format: [base64_data]--[sha1_hmac]
3. Compute HMAC-SHA1(base64_data, hardcoded_secret)
4. Compare computed HMAC with cookie HMAC
5. VULNERABLE: If HMACs match (uses hardcoded secret)
6. SAFE: If HMACs don't match (uses random secret)

Added per contribution guidelines:
- Impact and remediation sections
- EPSS score (0.95421) and percentile (0.99765)
- CPE string for GitHub Enterprise Server
- Vendor (github) and product (enterprise_server) in metadata
- Fofa-query in metadata
- Max-request (2)
- Vkev and vuln tags

References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-18365
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/github_enterprise_secret.rb
- https://enterprise.github.com/releases/2.8.7/notes

Signed-off-by: Azeez Syed <[email protected]>
Signed-off-by: aze <[email protected]>
@syedazeez337
Copy link
Author

syedazeez337 commented Jan 2, 2026

Hi @Akokonunes
I have update the PR with the new template and also sent an email. Let me know if there is anything else to do.

@Akokonunes
Copy link
Contributor

Akokonunes commented Jan 4, 2026

Hi @syedazeez337

Thanks for your detailed email. However the detailed sent to us, the template still only extracts cookie components without performing actual HMAC verification in nuclei. Most critically, you confirmed having no access to real GitHub Enterprise instances for validation. Bounty requires validation against actual vulnerable and patched targets sent to [email protected]. PR will be closed. Thanks for your participation in the bounty program!

@Akokonunes Akokonunes closed this Jan 4, 2026
@Akokonunes Akokonunes added Done Ready to merge and removed waiting for more info labels Jan 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pussycat0x pussycat0x Awaiting requested review from pussycat0x

Assignees

@Akokonunes Akokonunes

Labels

🙋 Bounty claim Done Ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@syedazeez337 @Akokonunes