There is a proxy in your Atlassian Product! (CVE-2017-9506)

You might not know it but the Atlassian OAuth plugin is part of most Atlassian products such as Jira and Confluence. Until recently it had a vulnerability that allowed the unauthenticated execution of HTTP GET requests from the server. You can do all kinds of interesting things with it, like accessing resources on the internal network or spoofing pages with a valid TLS connection. 

In this blog post I will describe the vulnerability, explain how it works, how to test for it and why it is a bad thing TM.

The vulnerability

As part of my research for Atlasscan I sometimes browse the Atlassian JIRA in search for security related issues and see if I can test for them. Last weekend I stumbled upon OAuth-344, which is the vulnerability we're talking about. It sounded interesting so I decided to have a look.

It is nice that the Atlassian OAuth plugin is open source, so you can examine the commits that fixed the issue. There was an IconUriServlet that accepted a GET request and took the value from the consumerUri parameter and used it to create another HTTP GET request, this time executed from the server. The response from the request was then streamed back across the original request. That is proxy functionality alright!


Knowing that the functionality exists is one thing, but you also need to know which URL to call. A part can be derived from the source code, the other part from the documentation.

How to Test for the vulnerability

So in order to test if the vulnerability is present you need to form an URL like so:


https://%basepath%/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.nl


If you execute this request in a browser (and replace %basepath% with your Atlassian product base path :-) and are greeted with a Google page you now know which URL to block :-) If however you get a 404 all is well because the servlet no longer exists in newer versions of the plugin.

Why is this a bad thing TM?

Well first of all, because the server executes an HTTP request with an URL of your choice and returns the results, you can access any resource the server has access to.

Often the server resides on an internal network and if you know or guess the name of any http resources on that network you can access them. For example a vulnerable Jira server is accessible from the internet, but an internal Confluence is only available on the internal network. You could access it with an URL like this:


https://jira.company.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://confluence.company.com/


Secondly you can use this feature to phish for credentials by accessing a spoofed login page through this URL. The TLS lock is green, domain name checks out, but you may be looking at code from a whole different domain. Also you can use this to serve untrustworthy content using a trusted domain (think ads and worse).

Conclusion

I think this vulnerability has not received the attention it deserves. The administrators I have talked to so far were unaware of it. This kind of makes sense because it never featured on the Atlassian security page and CVE-2017-9506 listed only the OAuth component, not the products.

So, if you find your Atlassian product vulnerable please inform your administrator and ask him to block the URL or upgrade to a later version of your product.


According to the Atlassian Jira the following versions are vulnerable:
  • Bamboo < 6.0.0
  • Confluence < 6.1.3
  • Jira < 7.3.5
  • Bitbucket < 4.14.4
  • Crowd < 2.11.2
  • Crucible & Fisheye < 4.3.2

16 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. According to my point of view, you will get all the help and support you require from the team at Big Lottery, couldn’t be more helpful. You will know more about your community and their needs than any consultant will ever know.Smith

    ReplyDelete
  3. To view purchased for your web page yet preparing medication evidently very bit of little submits. Acceptable technique for opportunity near future, Our company is book-marking at a stretch acquire styles avoid increases alongside one another. taux de glucose

    ReplyDelete
  4. Thanks for the blog loaded with so many information. Stopping by your blog helped me to get what I was looking for. review

    ReplyDelete
  5. Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also t shirt met tekst

    ReplyDelete
  6. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. shisha

    ReplyDelete
  7. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. estilo de vida

    ReplyDelete
  8. Mmm.. good to be here in your article or post, whatever, I think I should also work hard for my own website like I see some good and updated working in your site. Code9rs.com

    ReplyDelete
  9. Thanks for the writeup. I definitely agree with what you are saying. I have been talking about this subject a lot lately with my brother so hopefully this will get him to see my point of view. Fingers crossed! branding company

    ReplyDelete
  10. It is very interesting topic you’ve written here . The truth I’m not related to this, but I think is a good opportunity to learn more about, And as well talk about a different topic to which I used to talk with others branding agency

    ReplyDelete
  11. i am browsing this website dailly and get nice facts from here all the time.

    ReplyDelete
  12. Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. www.yoursafetyspy.com

    ReplyDelete
  13. Mobile Packages keep you update about all telecom companies packages. You can find the packages of all companies with full detail and activation code. Best Carpet Cleaner

    ReplyDelete
  14. I know this is one of the most meaningful information for me. And I'm animated reading your article. But should remark on some general things, the website style is perfect; the articles are great. Thanks for the ton of tangible and attainable help. 13377x

    ReplyDelete
  15. This type of message always inspiring and I prefer to read quality content, so happy to find good place to many here in the post, the writing of free fire complete colour challenge is just great, thanks for the post.

    ReplyDelete
  16. I really appreciate articles on your site. You’re doing a fine job! Thanks a lot. 예스 카지노

    --------------------
    I am glad to be one of many visitors on this outstanding internet site (:, appreciate it for posting . 더킹 카지노

    ReplyDelete