漏洞平台

POC详情： 35998f3bfb81b46074284a09b56dd1e75c61b2cf

来源

https://github.com/Arkha-Corvus/LetsDefend-SOC235-Atlassian-Confluence-Broken-Access-Control-0-Day-CVE-2023-22515-EventID-197

关联漏洞

标题： Atlassian Confluence Server 安全漏洞 (CVE-2023-22515)
描述：Atlassian Confluence Server是澳大利亚Atlassian公司的一套具有企业知识管理功能，并支持用于构建企业WiKi的协同软件的服务器版本。 Atlassian Confluence Server存在安全漏洞，该漏洞源于外部攻击者可能利用可公开访问的Confluence Data Center和Confluence Serve，用未知的漏洞来创建Confluence 管理员帐户并访问 Confluence 实例。

描述

I was presented with a high-severity alert indicating a potential exploit attempt of CVE-2023-22515, a zero-day vulnerability in Atlassian Confluence. The alert showed a suspicious GET request from an external IP targeting the Confluence server, suggesting an attempt to gain unauthorised admin access.

介绍

# LetsDefend-SOC235-Atlassian-Confluence-Broken-Access-Control-0-Day-CVE-2023-22515-EventID-197
I was presented with a high-severity alert indicating a potential exploit attempt of CVE-2023-22515, a zero-day vulnerability in Atlassian Confluence. The alert showed a suspicious GET request from an external IP targeting the Confluence server, suggesting an attempt to gain unauthorised admin access.

<br />
<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/1bd39c54-4135-47ac-89b3-eaad3fd5b3a9" />
<br />
<br />


The vulnerability allows an attacker to send crafted requests to a **Confluence instance** that result in the silent creation of administrator accounts, providing immediate unauthorised control. Exploitation typically involves a simple GET request to a vulnerable endpoint from an external IP, which can give the attacker initial access, the ability to install backdoors, move laterally, or exfiltrate data. Atlassian classifies this as critical due to the ease of abuse and the potential for full system compromise. Recommended actions include applying the vendor patch, isolating affected servers, reviewing logs for suspicious GET requests and new admin accounts, and rotating credentials and keys used by Confluence.

## VirusTotal & Threat Intel

As part of my investigation, I examined the source IP address 43[.]130[.]1[.]222 using VirusTotal to assess its reputation. The analysis confirmed that this IP address is flagged as malicious.

<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/5408c7cb-108c-406c-a654-8deda4a92f93" />


<img width="800" height="800" alt="Image" src="https://github.com/user-attachments/assets/d565d0b5-a156-4037-bf8d-6640b8fd4107" />


## Log Management

To validate the presence of a cyber attack, I also analysed the logs using 43[.]130[.]1[.]222 as the source IP address and identified three relevant log entries.

<br />
<img width="800" height="700" alt="Image" src="https://github.com/user-attachments/assets/1dc2035e-0bd4-4b27-b32d-94c1d47096d8" />

<img width="700" height="600" alt="Image" src="https://github.com/user-attachments/assets/8126f5ba-cd72-48ef-b662-df074ad2e4ff" />

<img width="700" height="600" alt="Image" src="https://github.com/user-attachments/assets/ae8d474a-1cfd-4113-80aa-628fd126059a" />

<img width="700" height="600" alt="Image" src="https://github.com/user-attachments/assets/d64c4b48-2e95-4441-a2af-9c4741808708" />
<br />
<br />

Upon analysing the log entries, I observed that the request /serverinfo.actionbootstrapStatusProvider.applicationConfig.setupComplete=false returned a 200 status code. This response indicates that the request was successfully processed, suggesting that the attack was executed successfully.

## Playbook
<br />
<img width="700" height="600" alt="Image" src="https://github.com/user-attachments/assets/b6e2fad6-b706-4fd0-bf01-6e3094dbe549" />
<br />
<br />

Based on the findings of my investigation, the traffic has been identified as malicious.

<br />
<img width="700" height="600" alt="Image" src="https://github.com/user-attachments/assets/afa0954e-8c3b-4ed1-a08f-cc1fec9a1214" />
<br />
<br />

Based on the investigation and the available options, the most appropriate classification for the attack vector is "Other". The malicious traffic observed does not align with any of the predefined categories such as Command Injection, IDOR, LFI/RFI, SQL Injection, or XSS.

<br />
<img width="700" height="600" alt="Image" src="https://github.com/user-attachments/assets/cd729670-70e4-47ac-b9c1-e92cbdb42ca9" />
<br />
<br />

After reviewing the email security logs using both the source and destination IP addresses, I found no evidence of any emails indicating that this was a planned test.

<br />
<img width="700" height="600" alt="Image" src="https://github.com/user-attachments/assets/33624d0b-4aa0-4f3c-963a-6bbda33ad4e7" />
<br />
<br />

The IP address 43.130.1.222 originates from an external organisation and serves as a public-facing endpoint, whereas 172.16.17.234 is assigned to a device within the company’s internal network. This indicates that the connection originated externally from the Internet and was directed toward the company's internal network.

<br />
<img width="700" height="600" alt="Image" src="https://github.com/user-attachments/assets/403c950e-84db-47de-9858-b8f54786037d" />
<br />
<br />

During the initial phase of the investigation, it became evident that the device's configuration permitted the attack to proceed without blocking or mitigating any malicious activity. Additionally, log analysis revealed a request that returned a 200 status code, confirming that it was successfully processed further indicating that the attack was executed successfully. To prevent further compromise, I took the initiative to contain the affected device.

<br />
<img width="700" height="600" alt="Image" src="https://github.com/user-attachments/assets/22782fae-208d-4296-92ca-25606bd8708f" />
<br />
<br />

Given that the attack was successfully executed, I proactively escalated the case to Tier 2 for a more thorough investigation. Tier 2 analysts possess deeper expertise and access to advanced tools, allowing them to perform detailed threat analysis, assess potential lateral movement, and implement appropriate containment and remediation measures. This escalation is essential to ensure the incident is fully understood and effectively mitigated, reducing the risk of further compromise.



## Conclusion

<br />
<img width="800" height="700" alt="Image" src="https://github.com/user-attachments/assets/55816029-4557-4009-ba0d-f3f3c9e8fbe4" />
<br />
<br />

The investigation was carried out successfully, with relevant actions taken to mitigate the impact and secure the environment.


Thank you for taking the time to read through this. Your feedback is always appreciated!

文件快照


 [4.0K]  /data/pocs/35998f3bfb81b46074284a09b56dd1e75c61b2cf
└── [5.8K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。