There is a proxy in your Atlassian Product! (CVE-2017-9506)

You might not know it but the Atlassian OAuth plugin is part of most Atlassian products such as Jira and Confluence. Until recently it had a vulnerability that allowed the unauthenticated execution of HTTP GET requests from the server. You can do all kinds of interesting things with it, like accessing resources on the internal network or spoofing pages with a valid TLS connection. 

In this blog post I will describe the vulnerability, explain how it works, how to test for it and why it is a bad thing TM.

The vulnerability

As part of my research for Atlasscan I sometimes browse the Atlassian JIRA in search for security related issues and see if I can test for them. Last weekend I stumbled upon OAuth-344, which is the vulnerability we're talking about. It sounded interesting so I decided to have a look.

It is nice that the Atlassian OAuth plugin is open source, so you can examine the commits that fixed the issue. There was an IconUriServlet that accepted a GET request and took the value from the consumerUri parameter and used it to create another HTTP GET request, this time executed from the server. The response from the request was then streamed back across the original request. That is proxy functionality alright!


Knowing that the functionality exists is one thing, but you also need to know which URL to call. A part can be derived from the source code, the other part from the documentation.

How to Test for the vulnerability

So in order to test if the vulnerability is present you need to form an URL like so:


https://%basepath%/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.nl


If you execute this request in a browser (and replace %basepath% with your Atlassian product base path :-) and are greeted with a Google page you now know which URL to block :-) If however you get a 404 all is well because the servlet no longer exists in newer versions of the plugin.

Why is this a bad thing TM?

Well first of all, because the server executes an HTTP request with an URL of your choice and returns the results, you can access any resource the server has access to.

Often the server resides on an internal network and if you know or guess the name of any http resources on that network you can access them. For example a vulnerable Jira server is accessible from the internet, but an internal Confluence is only available on the internal network. You could access it with an URL like this:


https://jira.company.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://confluence.company.com/


Secondly you can use this feature to phish for credentials by accessing a spoofed login page through this URL. The TLS lock is green, domain name checks out, but you may be looking at code from a whole different domain. Also you can use this to serve untrustworthy content using a trusted domain (think ads and worse).

Conclusion

I think this vulnerability has not received the attention it deserves. The administrators I have talked to so far were unaware of it. This kind of makes sense because it never featured on the Atlassian security page and CVE-2017-9506 listed only the OAuth component, not the products.

So, if you find your Atlassian product vulnerable please inform your administrator and ask him to block the URL or upgrade to a later version of your product.


According to the Atlassian Jira the following versions are vulnerable:
  • Bamboo < 6.0.0
  • Confluence < 6.1.3
  • Jira < 7.3.5
  • Bitbucket < 4.14.4
  • Crowd < 2.11.2
  • Crucible & Fisheye < 4.3.2

28 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. According to my point of view, you will get all the help and support you require from the team at Big Lottery, couldn’t be more helpful. You will know more about your community and their needs than any consultant will ever know.Smith

    ReplyDelete
  3. To view purchased for your web page yet preparing medication evidently very bit of little submits. Acceptable technique for opportunity near future, Our company is book-marking at a stretch acquire styles avoid increases alongside one another. taux de glucose

    ReplyDelete
  4. Thanks for the blog loaded with so many information. Stopping by your blog helped me to get what I was looking for. review

    ReplyDelete
  5. Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also t shirt met tekst

    ReplyDelete
  6. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. shisha

    ReplyDelete
  7. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. estilo de vida

    ReplyDelete
  8. Mmm.. good to be here in your article or post, whatever, I think I should also work hard for my own website like I see some good and updated working in your site. Code9rs.com

    ReplyDelete
  9. Thanks for the writeup. I definitely agree with what you are saying. I have been talking about this subject a lot lately with my brother so hopefully this will get him to see my point of view. Fingers crossed! branding company

    ReplyDelete
  10. It is very interesting topic you’ve written here . The truth I’m not related to this, but I think is a good opportunity to learn more about, And as well talk about a different topic to which I used to talk with others branding agency

    ReplyDelete
  11. i am browsing this website dailly and get nice facts from here all the time.

    ReplyDelete
  12. Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. www.yoursafetyspy.com

    ReplyDelete
  13. Mobile Packages keep you update about all telecom companies packages. You can find the packages of all companies with full detail and activation code. Best Carpet Cleaner

    ReplyDelete
  14. I know this is one of the most meaningful information for me. And I'm animated reading your article. But should remark on some general things, the website style is perfect; the articles are great. Thanks for the ton of tangible and attainable help. 13377x

    ReplyDelete
  15. This type of message always inspiring and I prefer to read quality content, so happy to find good place to many here in the post, the writing of free fire complete colour challenge is just great, thanks for the post.

    ReplyDelete
  16. I really appreciate articles on your site. You’re doing a fine job! Thanks a lot. 예스 카지노

    --------------------
    I am glad to be one of many visitors on this outstanding internet site (:, appreciate it for posting . 더킹 카지노

    ReplyDelete
  17. Very fine write-up. I actually really came across a person’s blog site plus needed so that you can point out this I’ve actually loved browsing a person’s site plus content. Anyhow I’ll often be checking a person’s feast plus I actually hope so that you can examine a person’s site again. https://royalcbd.com/product/cbd-roll-on-gel/

    ReplyDelete
  18. Though i have learned about it but after read your articles, i just realized the amount of knowledge that i missed. Thank for your shared 123Movies

    ReplyDelete
  19. Keep up the wonderful piece of work, I read few blog posts on this website and I conceive that your website is real interesting and has got sets of great information. 123Movies

    ReplyDelete
  20. I wish I could craft such articles as this. Thank you very much. Movies123

    ReplyDelete
  21. Pretty! This was an incredibly wonderful article. Many thanks for providing this info. FMovies

    ReplyDelete
  22. I have read several excellent stuff here. Certainly value bookmarking for revisiting. I surprise how so much effort you put to make this sort of excellent informative web site. YesMovies

    ReplyDelete
  23. you have got a excellent weblog here! want to develop invite posts on my weblog? 스포츠사이트

    ReplyDelete
  24. i am browsing this website dailly , and get nice facts from here all the time .

    ReplyDelete
  25. I think that thanks for the valuabe information and insights you have so provided here. two shot injection mold

    ReplyDelete
  26. I am impressed. I don't think Ive met anyone who knows as much about this subject as you do. You are truly well informed and very intelligent. You wrote something that people could understand and made the subject intriguing for everyone. Really, great blog you have got here. 24k Lifting Serum

    ReplyDelete
  27. I found your this post while searching for some related information on blog search...Its a good post..keep posting and update the information buying likes on instagram review

    ReplyDelete
  28. I’m not sure why but this website is loading incredibly slow for me. Is anyone else having this problem or is it a problem on my end? I’ll check back later and see if the problem still exists. gogoanime

    ReplyDelete