Abusing functionality to exploit a super SSRF in Jira Server (CVE-2022-26135)
TL;DR Jira is vulnerable to SSRF which requires authentication to exploit. There are multiple ways to create user accounts on Jira in order to exploit this issue depending on the configuration of the Jira instance. As an attack chain, it may be possible for an attacker to exploit this issue without known credentials. The advisory from Atlassian can be found here.
The exploit code for this vulnerability can be found here. This exploit attempts to register an account on Jira Core or Jira Service Desk and then exploits the SSRF vulnerability automatically.
Introduction
Jira is the most popular issue tracking software on the internet. It is used by businesses of all sizes, from small businesses to the Fortune 100. As security researchers, researching vulnerabilities within Jira holds significant value due to the potential impacts they may have across a wide range of businesses.
Our security research team discovered a vulnerability within Jira Server Core, which allows attackers to make requests to arbitrary URLs, with any HTTP method, headers and body. While this SSRF vulnerability was quite powerful, by default, this vulnerability is only exploitable after you have authenticated to the Jira instance.
We spent a few days looking for an authentication bypass in Jira so that we could exploit the SSRF we discovered pre-authentication, until we had a lightbulb moment. We realised that we could abuse the functionalities of Jira Service Desk to obtain an account on a Jira instance. This chain allowed us to exploit this SSRF vulnerability without knowing a valid pair of credentials (Jira Service Desk is often configured to provision accounts).
The Discovery Process
Over the last decade, we’ve tracked, analysed and focused on Atlassian’s suite of products when it comes to security advisories. The software that Atlassian produces is extremely popular and the diversity of businesses that use it have always motivated us to stay on top of the various security issues discovered in their products.
In April this year, a security advisory was published for Jira regarding an authentication bypass vulnerability in Seraph. My colleague, Dylan, and I, were tasked with writing checks for our Attack Surface Management Platform. One of the plugins listed in the advisory that was vulnerable to the Seraph authentication bypass was the Mobile Plugin for Jira.
While analysing this security advisory, we made ourselves very familiar with all of the affected plugins, and most importantly, the Mobile Plugin for Jira, which is where we discovered our server-side request forgery vulnerability.
Let our experiences in analysing patches, advisories and published security issues be yet another reason for you to consider doing the same. You never know what you may find in the process of reverse engineering.
Code Analysis
With Jira plugins, it is possible to register REST routes which can typically be called through <span class="code_single-line">jira-base-url/rest/</span>. When looking at the Mobile Plugin for Jira, we noticed the following block of code inside <span class="code_single-line">com/atlassian/jira/plugin/mobile/rest/v1_0/BatchResource.java</span>:
The <span class="code_single-line">batch</span> API built into the Mobile Plugin for Jira looks like it was intended to take in multiple requests and execute them on the server side. The line that we will be following through is <span class="code_single-line">List<BatchResponseBean> responseBeans = this.batchService.batch(requestsBean, headers);</span> which is responsible for actually sending the HTTP requests. The <span class="code_single-line">batchService</span> is located in <span class="code_single-line">com/atlassian/jira/plugin/mobile/service/impl/BatchServiceImpl.java</span>.
The code for this can be found below:
The line we’re interested in from the above snippet of code is <span class="code_single-line">Optional<BatchResponseBean> responseBean = execute(requestBean, headers);</span>. The source code for this can be found below:
We can see that the URL is crafted through the following line of code: <span class="code_single-line">String relativeLocation = requestBean.getLocation(); URL jiraLocation = toJiraLocation(relativeLocation);</span>. The code is obtaining the location from the JSON object we are sending this to API, and then it is constructing a “Jira Location” by passing in the location we specify in our request.
We can see the source code for to <span class="code_single-line">JiraLocation</span> and it’s associated functions below:
Have you spotted the issue?
The URL is constructed through a simple concatenation: <span class="code_single-line">URI.create(this.jiraBaseUrls.baseUrl() + path);</span>.
As an attacker, you can simply specify <span class="code_single-line">@targethost.com</span> which will ultimately construct the URL <span class="code_single-line">https://jira-host.com@targethost.com</span>. When this URL hits the HTTP client, the client will send a request to <span class="code_single-line">targethost.com</span>.
After the URL has been constructed, the sink for this issue is <span class="code_single-line">this.httpClientProvider.sendRequest(request);</span> which uses <span class="code_single-line">OkHttpClient</span> to send the HTTP requests.
SSRF Capabilities & Limitations
Capabilities:
- We can send up to 5 requests at a time through this Batch API
- We can send requests with any HTTP method (method parameter in JSON)
- We can send requests with any HTTP headers (takes headers from our request and copies them over)
- We can send requests with any HTTP body (body parameter in JSON)
Limitations:
- The protocol is not controllable, you have to use a HTTP redirect if you want to request a URL which is a different protocol (https -> http for example)
- The host header may not be controllable depending on webserver configuration
The Lightbulb Moment
While it is great that we have found an SSRF vulnerability in Jira, we’re still not able to weaponise it as it is post-authentication. As mentioned previously in this blog post, we spent a few days looking for an authentication bypass, but we were unable to find one.
The lightbulb moment occurred when we considered the context of Atlassian’s Jira ecosystem and how different components may interact with each other.
Atlassian also have a product called Jira Service Desk, which is often installed along side Jira Core. It is very common to see scenarios where Jira Service Desk signups are enabled. This is often the case because companies would like their self service mechanisms to be … self service.
We were able to successfully exploit this post-authentication vulnerability by first registering on Jira Service Desk, and then using that account to access the Jira Core REST APIs.
This vulnerability is rated high severity due to this exploit chain.
You can sign up to Jira Service Desk through the following URL: /servicedesk/customer/user/signup. Note: this endpoint being exposed is not an indicator that signups are actually enabled. In order to determine if signups are enabled, you must actually send a signup request.
Our exploit that is published on GitHub attempts to sign up to Jira Service Desk and then exploit the SSRF issue, however, this can not always be automated due to some signup flows requiring manual user interaction (i.e. captchas, email).
Exploit
You can obtain our exploit code for this issue by visiting the following URL: https://github.com/assetnote/jira-mobile-ssrf-exploit.
The following HTTP request can be used to reproduce this issue, once authenticated to the Jira instance:
Solution
The remediation details provided from Atlassian’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.
The knowledge base article detailing the patches or workaround to apply can be found here.
Timeline
The timeline for this disclosure process can be found below:
- Apr 21st, 2022: Disclosure of SSRF vulnerability affecting Jira server & Jira Cloud to Atlassian’s security team
- Apr 21st, 2022: Atlassian confirms security vulnerability and triages it in their internal issue tracker.
- June 22nd, 2022: Atlassian confirms advisory publication date and asks us for credit information.
- June 29th, 2022: Atlassian publishes advisory with patches.
The Atlassian team worked with us to quickly remediate this issue in Jira.
Conclusion
Assessing vendor advisories, patches and reverse engineering the affected components can sometimes lead to the discovery of new vulnerabilities.
In this case, we discovered a full read SSRF vulnerability while reverse engineering some patches from Atlassian from earlier this year.
Additionally, even when it is not possible to bypass authentication through vulnerabilities, consider the full context of the application and its functionalities to determine alternative methods to exploit the issues that were discovered in the post-authentication attack surface.
As always, customers of our Attack Surface Management platform were the first to know when this vulnerability affected them. We continue to perform original security research in an effort to inform our customers about zero-day vulnerabilities in their attack surface.
More Like This
Ready to get started?
Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.