Gitblit Embedded SSH Auth Bypass (CVE-2024-28080)

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Summary

CVE-2024-28080 是 Gitblit 嵌入式 SSH 服务中的一个认证绕过漏洞,原因是在与 Apache MINA SSHD 集成时会话状态处理不正确。如果一个用户账户至少注册了一个 SSH 公钥,攻击者只要知道该用户名和任意一个该用户的公钥,就可以在不拥有私钥且不输入密码的情况下完成认证。

  • Affected: Gitblit < 1.10.0 (observed on 1.9.3)
  • Fixed: 1.10.0
  • Requirements to exploit:
  • Git over SSH enabled on the instance
  • 受害账号在 Gitblit 中至少注册了一个 SSH 公钥
  • 攻击者知道受害者用户名和他们的某个公钥(通常可发现,例如 https://github.com/.keys)

Root cause (state leaks between SSH methods)

在 RFC 4252 中,public‑key authentication 分为两个阶段:服务器先检查提供的公钥是否对某个用户名可接受,只有在挑战/响应带有签名之后才真正认证该用户。在 MINA SSHD 中,PublickeyAuthenticator 会被调用两次:在 key acceptance(尚无签名)时以及在客户端返回签名之后。

Gitblit 的 PublickeyAuthenticator 在第一次(签名前)的调用中会修改会话上下文,通过将已认证的 UserModel 绑定到会话并返回 true(“key acceptable”)。当认证之后回退到密码时,PasswordAuthenticator 信任该被修改的会话状态并短路,返回 true 而不验证密码。因此,在先前对同一用户发生过 public‑key “acceptance” 后,任何密码(包括空密码)都会被接受。

High‑level flawed flow:

  1. 客户端提供 username + public key(尚无签名)
  2. 服务器识别该 key 属于该用户并过早地将用户附加到会话,返回 true(“acceptable”)
  3. 客户端无法签名(无私钥),于是认证回退到密码
  4. Password auth 看到会话中已有用户并无条件返回成功

Step‑by‑step exploitation

  • 收集受害者的用户名和他们的某个公钥:
  • GitHub 在 https://github.com/.keys 暴露公钥
  • 公共服务器通常会暴露 authorized_keys
  • 配置 OpenSSH 仅呈现公钥部分以使签名生成失败,强制回退到密码,同时仍触发服务器上的 public‑key acceptance 路径。

Example SSH client config (no private key available):

# ~/.ssh/config
Host gitblit-target
HostName <host-or-ip>
User <victim-username>
PubkeyAuthentication yes
PreferredAuthentications publickey,password
IdentitiesOnly yes
IdentityFile ~/.ssh/victim.pub   # public half only (no private key present)

连接并在密码提示时按 Enter(或输入任意字符串):

ssh gitblit-target
# or Git over SSH
GIT_SSH_COMMAND="ssh -F ~/.ssh/config" git ls-remote ssh://<victim-username>@<host>/<repo.git>

Authentication succeeds because the earlier public‑key phase mutated the session to an authenticated user, and password auth incorrectly trusts that state.

Note: If ControlMaster multiplexing is enabled in your SSH config, subsequent Git commands may reuse the authenticated connection, increasing impact.

Impact

  • 完全冒充任何至少注册了一个 SSH public‑key 的 Gitblit 用户
  • 根据受害者权限对仓库的读/写访问(可能导致 source exfiltration、未经授权的 pushes、supply‑chain 风险)
  • 如果针对管理员用户,可能产生管理权限影响
  • 纯网络漏洞利用;无需暴力破解或私钥

Detection ideas

  • 检查 SSH 日志,查找序列:publickey 尝试之后,紧接着以空或非常短的 password 成功通过认证
  • 查找流程:publickey method 提供不受支持/不匹配的 key material,随后针对同一用户名立即出现 password 成功

Mitigations

  • 升级到 Gitblit v1.10.0+
  • 在升级之前:
  • 禁用 Gitblit 上的 Git over SSH,或
  • 限制对 SSH 服务的网络访问,并
  • 监控上述所述的可疑模式
  • 如果怀疑被入侵,请轮换受影响用户的凭证

General: abusing SSH auth method state‑leakage (MINA/OpenSSH‑based services)

Pattern: If a server’s public‑key authenticator mutates user/session state during the pre‑signature “key acceptable” phase and other authenticators (e.g., password) trust that state, you can bypass authentication by:

  • Presenting a legitimate public key for the target user (no private key)
  • Forcing the client to fail signing so the server falls back to password
  • Supplying any password while the password authenticator short‑circuits on leaked state

Practical tips:

  • Public key harvesting at scale: pull public keys from common sources such as https://github.com/.keys, organizational directories, team pages, leaked authorized_keys
  • Forcing signature failure (client‑side): point IdentityFile to only the .pub, set IdentitiesOnly yes, keep PreferredAuthentications to include publickey then password
  • MINA SSHD integration pitfalls:
  • PublickeyAuthenticator.authenticate(…) must not attach user/session state until the post‑signature verification path confirms the signature
  • PasswordAuthenticator.authenticate(…) must not infer success from any state mutated during a prior, incomplete authentication method

Related protocol/design notes and literature:

  • SSH userauth protocol: RFC 4252 (publickey method is a two‑stage process)
  • Historical discussions on early acceptance oracles and auth races, e.g., CVE‑2016‑20012 disputes around OpenSSH behavior

References

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks