Atlassian Crowd: pdkinstall development plugin incorrectly enabled (CVE-2019-11580)

Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.

Recent assessments:

wvu-r7 at July 15, 2019 5:39pm UTC reported:

Assessment

I think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.

Additional analysis

> What would happen if I changed the Content-Type from multipart/form-data to a different multipart encoding? Let’s try it.
>
> This time I decided to try uploading my malicious plugin with the Content-Type of multipart/mixed instead. Maybe that would work?

They didn’t share how they got there, but it’s an easy find with source code.

wvu@kharak:~$ cd Downloads/
wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git
Cloning into 'pdkinstall-plugin'...
remote: Counting objects: 210, done.
remote: Compressing objects: 100% (115/115), done.
remote: Total 210 (delta 88), reused 138 (delta 56)
Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.
Resolving deltas: 100% (88/88), done.
wvu@kharak:~/Downloads$ cd pdkinstall-plugin/
wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        boolean isMultipart = ServletFileUpload.isMultipartContent(req);
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        if (isMultipart)
wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        boolean isMultipart = ServletFileUpload.isMultipartContent(req);
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        ServletFileUpload upload = new ServletFileUpload(factory);
wvu@kharak:~/Downloads/pdkinstall-plugin:master$

<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html&gt;

> This class handles multiple files per single HTML widget, sent using multipart/mixed encoding type, as specified by RFC 1867.

busterb at August 13, 2019 6:10pm UTC reported:

Assessment

I think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.

Additional analysis

> What would happen if I changed the Content-Type from multipart/form-data to a different multipart encoding? Let’s try it.
>
> This time I decided to try uploading my malicious plugin with the Content-Type of multipart/mixed instead. Maybe that would work?

They didn’t share how they got there, but it’s an easy find with source code.

wvu@kharak:~$ cd Downloads/
wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git
Cloning into 'pdkinstall-plugin'...
remote: Counting objects: 210, done.
remote: Compressing objects: 100% (115/115), done.
remote: Total 210 (delta 88), reused 138 (delta 56)
Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.
Resolving deltas: 100% (88/88), done.
wvu@kharak:~/Downloads$ cd pdkinstall-plugin/
wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        boolean isMultipart = ServletFileUpload.isMultipartContent(req);
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        if (isMultipart)
wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        boolean isMultipart = ServletFileUpload.isMultipartContent(req);
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        ServletFileUpload upload = new ServletFileUpload(factory);
wvu@kharak:~/Downloads/pdkinstall-plugin:master$

<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html&gt;

> This class handles multiple files per single HTML widget, sent using multipart/mixed encoding type, as specified by RFC 1867.

gwillcox-r7 at October 20, 2020 6:56pm UTC reported:

Assessment

I think I would see this in the real world, exploitation is trivial, and attacking an SSO system could be valuable.

Additional analysis

> What would happen if I changed the Content-Type from multipart/form-data to a different multipart encoding? Let’s try it.
>
> This time I decided to try uploading my malicious plugin with the Content-Type of multipart/mixed instead. Maybe that would work?

They didn’t share how they got there, but it’s an easy find with source code.

wvu@kharak:~$ cd Downloads/
wvu@kharak:~/Downloads$ git clone https://bitbucket.org/atlassian/pdkinstall-plugin.git
Cloning into 'pdkinstall-plugin'...
remote: Counting objects: 210, done.
remote: Compressing objects: 100% (115/115), done.
remote: Total 210 (delta 88), reused 138 (delta 56)
Receiving objects: 100% (210/210), 26.20 KiB | 813.00 KiB/s, done.
Resolving deltas: 100% (88/88), done.
wvu@kharak:~/Downloads$ cd pdkinstall-plugin/
wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep isMultipart
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        boolean isMultipart = ServletFileUpload.isMultipartContent(req);
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        if (isMultipart)
wvu@kharak:~/Downloads/pdkinstall-plugin:master$ git grep ServletFileUpload
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:import org.apache.commons.fileupload.servlet.ServletFileUpload;
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        boolean isMultipart = ServletFileUpload.isMultipartContent(req);
src/main/java/com/atlassian/pdkinstall/PdkInstallFilter.java:        ServletFileUpload upload = new ServletFileUpload(factory);
wvu@kharak:~/Downloads/pdkinstall-plugin:master$

<https://commons.apache.org/proper/commons-fileupload/apidocs/org/apache/commons/fileupload/servlet/ServletFileUpload.html&gt;

> This class handles multiple files per single HTML widget, sent using multipart/mixed encoding type, as specified by RFC 1867.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5