Flaw in Atlassian Companion for macOS Let Attacker Execute Remote Code

by Esmeralda McKenzie
Flaw in Atlassian Companion for macOS Let Attacker Execute Remote Code

Flaw in Atlassian Companion for macOS Let Attacker Execute Remote Code

Flaw in Atlassian Partner for macOS Let Attacker Gain Some distance away Code

When Atlassian Partner is build in on macOS, a vulnerability has been detected that enables far flung code execution on users’ laptop systems as soon as they click on the Edit button on a Confluence page.

With the Atlassian Partner app, users can edit Confluence recordsdata of their chosen desktop app and get hang of the adjustments straight saved assist to Confluence.

The Atlassian Partner utility, which must be build in on every client’s laptop, manages the download and re-add of recordsdata.

An attacker can remotely attain malicious code on a laptop by far flung code execution (RCE) assaults. An RCE vulnerability can result in malware execution or an attacker acquiring total adjust of a weak system.

This flaw used to be chanced on by blogger and app security expert WOJCIECH REGUA.

Some distance away Code Execution On MacOS Machine

The protection expert says that documents saved in Confluence would possibly well even be edited on macOS the use of the Atlassian Partner App. When the patron presses the Edit button, the next happens:

  • The file is downloaded in the neighborhood on the laptop.
  • The app validates extensions
  • The app opens the downloaded file
  • When the file is updated, it is posted assist to Confluence.

The express here is that Atlassian used to be wide awake that one of the crucial extensions wished to be disabled. A blocklist would possibly well even be chanced on in the app’s sources.

image 3
Blocklist display in the app’s sources

He mentions that the class extension is finest on the windowsDangerous blocklist in this case; attributable to this reality, it is an allowed extension on macOS.

The researcher created a malicious Howdy.java file when the researcher’s Howdy.class file will get uploaded to Confluence and then clicks edit, the code is performed, and the Calculator is launched.

image 4
Malicious Howdy.java file created

At closing, the mentioned. class file extension is now also blocked on macOS. Studies narrate Atlassian bought the express listing in 2021, mounted the flaw in 90 days, and awarded a reward.

Source credit : cybersecuritynews.com

Related Posts