There is a proxy in your Atlassian Product! (CVE-2017-9506)

You might not know it but the Atlassian OAuth plugin is part of most Atlassian products such as Jira and Confluence. Until recently it had a vulnerability that allowed the unauthenticated execution of HTTP GET requests from the server. You can do all kinds of interesting things with it, like accessing resources on the internal network or spoofing pages with a valid TLS connection. 

In this blog post I will describe the vulnerability, explain how it works, how to test for it and why it is a bad thing TM.

The vulnerability

As part of my research for Atlasscan I sometimes browse the Atlassian JIRA in search for security related issues and see if I can test for them. Last weekend I stumbled upon OAuth-344, which is the vulnerability we're talking about. It sounded interesting so I decided to have a look.

It is nice that the Atlassian OAuth plugin is open source, so you can examine the commits that fixed the issue. There was an IconUriServlet that accepted a GET request and took the value from the consumerUri parameter and used it to create another HTTP GET request, this time executed from the server. The response from the request was then streamed back across the original request. That is proxy functionality alright!


Knowing that the functionality exists is one thing, but you also need to know which URL to call. A part can be derived from the source code, the other part from the documentation.

How to Test for the vulnerability

So in order to test if the vulnerability is present you need to form an URL like so:


https://%basepath%/plugins/servlet/oauth/users/icon-uri?consumerUri=https://www.google.nl


If you execute this request in a browser (and replace %basepath% with your Atlassian product base path :-) and are greeted with a Google page you now know which URL to block :-) If however you get a 404 all is well because the servlet no longer exists in newer versions of the plugin.

Why is this a bad thing TM?

Well first of all, because the server executes an HTTP request with an URL of your choice and returns the results, you can access any resource the server has access to.

Often the server resides on an internal network and if you know or guess the name of any http resources on that network you can access them. For example a vulnerable Jira server is accessible from the internet, but an internal Confluence is only available on the internal network. You could access it with an URL like this:


https://jira.company.com/plugins/servlet/oauth/users/icon-uri?consumerUri=https://confluence.company.com/


Secondly you can use this feature to phish for credentials by accessing a spoofed login page through this URL. The TLS lock is green, domain name checks out, but you may be looking at code from a whole different domain. Also you can use this to serve untrustworthy content using a trusted domain (think ads and worse).

Conclusion

I think this vulnerability has not received the attention it deserves. The administrators I have talked to so far were unaware of it. This kind of makes sense because it never featured on the Atlassian security page and CVE-2017-9506 listed only the OAuth component, not the products.

So, if you find your Atlassian product vulnerable please inform your administrator and ask him to block the URL or upgrade to a later version of your product.


According to the Atlassian Jira the following versions are vulnerable:
  • Bamboo < 6.0.0
  • Confluence < 6.1.3
  • Jira < 7.3.5
  • Bitbucket < 4.14.4
  • Crowd < 2.11.2
  • Crucible & Fisheye < 4.3.2

7 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. According to my point of view, you will get all the help and support you require from the team at Big Lottery, couldn’t be more helpful. You will know more about your community and their needs than any consultant will ever know.Smith

    ReplyDelete
  3. To view purchased for your web page yet preparing medication evidently very bit of little submits. Acceptable technique for opportunity near future, Our company is book-marking at a stretch acquire styles avoid increases alongside one another. taux de glucose

    ReplyDelete
  4. Thanks for the blog loaded with so many information. Stopping by your blog helped me to get what I was looking for. review

    ReplyDelete
  5. Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also t shirt met tekst

    ReplyDelete
  6. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. shisha

    ReplyDelete
  7. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. estilo de vida

    ReplyDelete