Gogs RCE Bypass Actively Exploited

MITRE Techniques

• [T1190 ] Exploit Public-Facing Application – The attacker abused the Gogs PutContents API to write through a symlink and overwrite files outside the repository, enabling RCE. (‘…Using the PutContents API, they write data to the symlink. The system follows the link and overwrites the target file outside the repository.’)
• [T1078 ] Valid Accounts – Exploitation relies on repository creation permissions available by default (open registration), allowing attackers to create repos and commit symlinks. (‘…The exploitation process is trivial for any user with repository creation permissions (enabled by default): The attacker creates a standard git repository.’)
• [T1543 ] Create or Modify System Process – The attacker overwrote .git/config (specifically sshCommand) to force execution of arbitrary commands on the host. (‘…By overwriting .git/config (specifically the sshCommand), the attacker can force the system to execute arbitrary commands.’)
• [T1027 ] Obfuscated Files or Information – The malware payload used multiple obfuscation layers (UPX packing and garbling) with encrypted string literals to hinder static analysis. (‘…The payload had multiple layers of obfuscation designed to evade detection: The first a simple UPX packing…compiled with the garble tool…most string literals are encrypted on disk and only decrypted during run time…’)
• [T1071.001 ] Application Layer Protocol: Web Protocols – Supershell established a reverse SSH shell that communicates over web services, providing command-and-control over standard web channels. (‘…Supershell is an open-source Command and Control (C2) platform whose primary function is to establish a reverse SSH shell that communicates over web services.’)