Breaking Bitbucket: Pre Auth Remote Command Execution [CVE-2022-36804] (6000)

We discussed this vulnerability during Episode 153 on 26 September 2022

Two argument injections that were found in Bitbucket server, though only one of them was exploitable. The first was in the /rest/api/latest/projects/~USER/repos/repo1/browse endpoint, where an at parameter could be provided. They found that they could smuggle --help through the parameter, though there was no security impact here as there were no useful parameters.

The second was the /rest/api/latest/projects/PROJECTKEY/repos/REPO/archive endpoint, which turned out to be far more useful. This endpoint would take a prefix parameter, which would map to the prefix argument used for the underlying git archive sub-command. Due to the process builder using Java’s native Java_java_lang_ProcessImpl_forkAndExec function for launching the sub-command and it’s reliance on arguments being passed as a char array, by passing encoded null bytes, you could inject arguments as indexes are split by null bytes. Furthermore, the sub-command supports an --exec argument for the path to the git-upload-archive binary. The way this argument is used is it’s essentially just passed into /bin/sh via execve(), so arbitrary command execution is straightforward.