Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)

2020-07-16T00:00:00
ID CROWD_CVE-2019-11580.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-07-16T00:00:00

Description

The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability. An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary plugins, which permits remote code execution.

                                        
                                            #TRUSTED 3e971037c310d5fb21b4bf63b98f20695b4e16697afd43aba7ac879da113e477c9033c2bd683a3ac32481ec91c55bd50145622a02e8f52ae850ab5e7b0349332f01e58d8165702556230d47fdec6d8498e1b9725e90e63b6d83a0e04446f153c63f9cfc432dbd424b759f7b0e44cb3827872ab24b9f5dab18eabef570720e15a5c4f0046f65a587efd4179ed86d434667339ffeb4afd49420a753b299d0543b56bb62bbd335e090f811b7b2b2371e49a0865d5ef16c08446d6a28f1737064ad0c952b36e633ffa769c081b2af7b1489f5d8d4f8f769c8f287f920dc7c85f43939ca9c5b66e65e5a2cce534c993f500ed3f53aeb3535fdb8cbd8e3059ea04157b60159ee9ff99d7205ad2b0364d26b6746671a7c7ce1ceee5dc836d25a7ab829048c0e1231a0afe30d5b38b761dc57312a97927695c40f78df2ba521e6412b1cbd22178c73240e4ce700c833d4303a6bbf5a1a2c04bc8d4a87e6681bd5e5097f7344091675a23e54a8b526f6b49e4733d4ddd682578490380506a6783326b009bbc2cd7091647a026e9ed6d9c73842966deedfd756fe562f244e5e0184e5d376b1c75e20258f56749dd52f120c42ce741862213fc7d439e70332fedad9cc41c8cce70e3942a738a66fdd0bd5b4e5fa92fd8696c39ffaa63db5f2e05c3633c39d5495e8b7e72bdde6030da9f109f59eaed6c334735eb75c893daf316f874fc7eb7
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(138553);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/30");

  script_cve_id("CVE-2019-11580");
  script_bugtraq_id(108637);
  script_xref(name:"IAVA", value:"2020-A-0499");

  script_name(english:"Atlassian Crowd 2.1.x < 3.0.5 / 3.1.x < 3.1.6 / 3.2.x < 3.2.8 / 3.3.x < 3.3.5 / 3.4.x < 3.4.4 RCE (direct check)");

  script_set_attribute(attribute:"synopsis", value:
"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Atlassian Crowd installed on the remote host is affected by a remote code execution (RCE) vulnerability.
An unauthenticated, remote attacker can exploit this, by using pdkinstall development plugin, to install arbitrary
plugins, which permits remote code execution.");
  # https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f66fbb1c");
  script_set_attribute(attribute:"see_also", value:"https://www.corben.io/atlassian-crowd-rce/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 3.0.5, 3.1.6, 3.2.8, 3.3.5, 3.4.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11580");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:crowd");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("crowd_detect.nasl");
  script_require_keys("www/crowd");
  script_require_ports("Services/www", 8095);

  exit(0);
}

include('http.inc');
include('install_func.inc');

appname = 'Atlassian Crowd';
app_id  = 'crowd';

# Exit if app is not detected on the target
get_install_count(app_name:app_id, exit_if_zero:TRUE);

port = get_http_port(default:8095);
install = get_single_install(app_name:app_id, webapp:TRUE, port:port);

base_path = install['path'];
url = '/admin/uploadplugin.action';

res = http_send_recv3(
  method : 'POST',
  port   : port,
  item   : base_path + url,
  exit_on_fail : TRUE
);

if ('400' >< res[0] && ('Unable to install plugin' >< res[2] || 'All plugins could not be validated' >< res[2]))
{
  security_report_v4(
    port        : port,
    severity    : SECURITY_HOLE,
    generic     : TRUE,
    request     : make_list(http_last_sent_request()),
    output      : res[0] + res[2]
  );
}
else
{
  audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(qs:install['path'], port:port));
}