Full Report
Bitbucket is a service similar to Github. The authors of this post were after an RCE bug. Since they know that many platforms will end up with calls to git, they wanted a way to trace this. To trace this, they pspy, a way to snoop on processes without being root. In particular, they were looking for calls to git in the process logs with the canary PEWPEW inside of it. They triggered a bunch of requests to see what would happen. First, they found a argument injection bug. However, this bug appears to be unexploitable because of the command that was the arguments could be added to. Eventually, they ended up tracing a call to git archive where the value of the --prefix= could be controlled. Bitbucket is written in Java. Since this is the case, the input is likely parameterized when being inserted into a command to execute, making it unlikely that argument injection is possible. However, passing in nullbytes via %00 in the parameters seems to bypass this limitation. By adding padding%00--option%00padding, the prefix option was escaped and they got the error message "--option is not a option a git subcmd". Amazing! They had escaped the command by simply fuzzing and trying different things! git archive has the amazing flag --exec. Passing in a command for this parameter, alongside the flag --remote-flag with a file URI would lead to code execution with this parameter. At the very end, the injection input was x%00--exec=/bin/bash+-c+'touch+/tmp/haced%23'%00--remote=file:///%00x. After writing the exploit, the authors wondered why the nullbytes being added worked. Atlassian had patched this bug by disallowing nullbytes in the parameters of this call. This is because the function Java_java_lang_ProcessImpl_forkAndExec was being used to execute commands; this takes a char array as the command. Since the char arrays are separated by nullbytes, they were transforming the amount of arguments used in the low level Java call. This allowed for the injection of the new parameters. Pretty neat! Sometimes fuzzing and trying random things is more important than understanding the entire eco-system through and through. I probably would not have found this, simply because I would have assumed the Java API was secure against this. Overall, good article!
Analysis Summary
# Vulnerability: Pre-Authentication Remote Command Execution in Bitbucket via `git archive` Argument Injection
## CVE Details
- CVE ID: CVE-2022-36804
- CVSS Score: Not explicitly provided, but described as a critical RCE. (Typically high for RCE)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) likely applies.
## Affected Systems
- Products: Bitbucket Server and Datacenter
- Versions: All versions released *after* 6.10.17, including all versions between 7.0.0 and 8.3.0 inclusive.
- Configurations: Applies to default installations utilizing the affected versions.
## Vulnerability Description
The vulnerability is a Remote Command Execution (RCE) stemming from an argument injection flaw within the API endpoint responsible for archiving repository contents (`/rest/api/latest/projects/PROJECTKEY/repos/REPO/archive`).
The vulnerability occurs when processing the `prefix` parameter intended for the underlying `git archive --prefix=` command. While standard parameterization was expected in Java applications, the injection was successful by leveraging **null bytes (`%00`)** within the request parameters.
The attacker can inject null bytes (e.g., using `%00` encoding) because the Java application was invoking the native process execution function `Java_java_lang_ProcessImpl_forkAndExec`, which takes commands as a `char` array delimited by null bytes. The injected null bytes effectively terminate the intended argument prematurely, allowing subsequent injected strings to be interpreted as new, distinct command-line arguments.
By escaping the `--prefix` argument with null bytes (`padding%00--option%00padding`), the researchers demonstrated control over new arguments. This control was escalated to RCE by utilizing the `git archive --exec=<COMMAND>` flag alongside the `--remote=file:///...` flag.
## Exploitation
- Status: Proof of Concept (PoC) described/available (as the researchers wrote and tested the exploit).
- Complexity: Low (Pre-authentication vulnerability exploited via a specific network request structure).
- Attack Vector: Network (Pre-authentication).
**Example Injection Demonstrated:** `x%00--exec=/bin/bash+-c+'touch+/tmp/haced%23'%00--remote=file:///%00x` leads to command execution (`touch /tmp/haced#`).
## Impact
- Confidentiality: High (Arbitrary code execution grants access to system files and data).
- Integrity: High (Arbitrary commands can be executed to modify the system or data).
- Availability: High (System compromise can lead to denial of service or system destruction).
## Remediation
### Patches
- Atlassian patched this issue by disallowing null bytes from being processed in the parameters passed to the command execution for this specific API call.
### Workarounds
- Update to a patched version provided by Atlassian.
- If immediate patching is impossible (though unlikely as this is a known critical RCE), monitoring for unexpected null byte usage in the relevant API calls could be a temporary detection measure until patching is complete.
## Detection
- **Indicators of Compromise (IOCs):** Look for process execution commands originating from the Bitbucket service that include null byte sequences (`\0` or `%00`) being passed to `git archive` or shell processes (`/bin/bash`, etc.).
- **Detection Methods and Tools:** Process monitoring tools (like `pspy` used by the researchers) or EDR solutions logging command arguments for the Java process executing system calls should highlight the suspicious use of null bytes or the introduction of unexpected arguments like `--exec` or `--remote` in relation to repository archiving requests.
## References
- Vendor advisory/Reference (Implied via CVE): [Vendor advisory regarding CVE-2022-36804] (Search for Atlassian Security Advisory for CVE-2022-36804)
- Research Post: hxxps://blog dot assetnote io/2022/09/14/rce-in-bitbucket-server/