Escalating SSRF in a Vulnerable Jira Instance to RCE via Docker Engine API

Originally posted by me on Reddit. This is just a repost of what I wrote there on /r/netsec, and formatting is a bit awkward.  Due to some glitch I found out it couldn't be published there. 

Awhile back, I posted on Twitter about achieving Remote Code Execution in Jira instances deployed over Docker.

It's a common sight these days, to come across internal bug trackers of large companies who simply don't firewall their internal network. As a result, one can achieve varying impacts, but I believe, sky is the limit ;)

Orangetsai has previously demonstrated some exceptional cases of acheiveing RCE via SSRF based vulnerabilities, which further motivated me to research into this topic.

Upon delving deeper, I found out that, a huge number of Jira instances were exposed publically which itself is thought provoking and tempted me to look further into ways in which I could exploit it.

• I was able to earn a couple bug bounties along the way on BugCrowd by successfully demonstrating XSS, with cookies scoped to parent domains in those cases allowing me to execute a full fledged ATO attack via Reflected XSS using SSRF in the Vulnerable Jira instance.
• The next considerable impact was some critical information disclosure, which happened only at times, when you passed on a wrong or, malformed URL in your request and Jira gave you an interesting stack trace containing more internal information.
• Only in two counts of cases could I leverage this to penetrate into the intranet of the concerned company (which was interesting alone) and find some internal vulnerable software. The impact kept on increasing at each step as I progressed further and this was no more a simple report which most security researchers are tempted to make viz. Reflected XSS, SSRF and Exposed Jira Panels. Hence, I got something more to put in my security report.
• As I kept digging deeper, I came across a Jira instance which was deployed over Docker. Ask how? I put together a simple Python script that would keep hitting the consumerUri parameter with different payloads like [::1], localhost, and the likes, also with some deliberately filthy payloads just to exfiltrate some information. The endpoint is https://[Jira-server host.tld]/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=

So, while monkey testing, and fuzzing I finally constructed this payload - https://[Jira-server-host.tld]/jira/plugins/servlet/oauth/users/icon-uri?consumerUri=http://[::1]:2375/containers/json

Bam! We got some sensitive docker credentials stored as environment variables through an unauthenticated request to the Docker Engine API via an SSRF vulnerability in that Jira instance and are now in a position to conclude we performed an RCE in an internal network where practically no XSS would hold that great an impact! This could be rare but a notable case.

Do you have some ideas on how to exploit this further? Do post your ideas on this!