Atlassian Confluence RCE exploit (CVE-2019-3396) #11717
Conversation
|
Recreated pull request #11711 from a unique branch. |
| # Returns a upload template. | ||
| # | ||
| # @return [String] | ||
| def get_upload_vm() |
There was a problem hiding this comment.
Empty braces for method definitions, as used here, and elsewhere in this module, are unnecessary. They may also be considered bad style, and will raise Rubocop warnings.
| java_home = get_java_home_path | ||
|
|
||
| if java_home.blank? | ||
| fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.') |
There was a problem hiding this comment.
Would it be worth making this a user-configurable option?
There was a problem hiding this comment.
I don't think it be worth making this a user-configurable option, as this path depends on Confluence installation path, because JRE is part of Confluence package. As well as temp folder path.
|
This is in @asoto-r7's very capable hands now! Thanks! |
|
Hi @rrockru, thanks for the module! I've set up fresh Confluence test environments in both Linux (Ubuntu Desktop 16.04.6 LTS x64) and Windows (Win10 x64), but am having trouble getting the check or exploit methods to succeed. Let me walk through my steps and you can tell me where I'm going wrong.
Note the final few lines include a Looking at the packet capture, I see no attempt for the Confluence target to reach back to the attacker via the specified port 8021:
A few questions:
Thanks again for the module! I'm looking forward to landing it! |
|
Hi @asoto-r7 . After analyzing problem I found that servers that I used to check are use Confluence based on Tomcat 8.0. It's strange, because fresh install of Confluence based on Tomcat 9.0 and I have same problem with exploitation. Also I found that Tomcat was updated with Confulence version 6.10. I will try to bypass that limitation. But it seems that presently exploit works only before Confulence v6.10. |
|
Hmmm... It's very strange. Module works fine with Confluence 6.10 and 6.11. Seems like problem somewhere else. |
|
@haydar68 : The exploit has not yet been integrated into the Framework, and there will be a delay before you'll see it in Kali. This forum is for development and contributor efforts only, but feel free to reach out to us on the Metasploit Slack and we'll walk you through getting it set up in advance: |
|
@rrockru: Thanks for the feedback. There are a few things I'd like to see; not all of these are required before we can land the module. I'll keep working on this myself as well, but feel free to knock any of these out as well. It would be nice to:
We definitely need to:
EDIT: I was able to fix the |
|
A few bugs I'm working through.... Misleading "connection timed out" messagesWhen a target refuses the connection (e.g. when specifying an invalid RPORT), the exploit reports that the connection timed out, which is unexpected:
|
|
@asoto-r7 Thanks for your fixes. I'll use your recommendations in the future.
Right now I try to determine what the problem. I see that vulnerability triggers on Confluence 6.12 and above, but in the logs I see some problem with fetching resource from the URL. It's behaviour is the same for FTP and HTTPS resources. After some research I found that Tomcat's ParallelWebappClassLoader class unable to find resource by url using WebappClassLoaderBase's function findResource(). This function always returns null. |
|
Confluence 6.12.0 on Ubuntu 16.04 x64 also works with both Linux and Java payload. |
|
Finally found the problem, as i think. In |
|
Thanks, that's a reasonable explanation. |
|
Awesome. Thanks @rrockru for the follow up explanation. Supposedly later versions are vulnerable, but they may not be exploitable. In any event, let's get this landed. Testing StatusAccording to the CVE, this affects Confluence versions:
In my testing, the exploit works reliably and stably against:
Exploit failed gracefully on non-vulnerable versions. The check says not exploitable and the exploit fails gracefully.
Exploit fails on some versions that should be vulnerable. The check says not exploitable and the exploit fails gracefully, but it should be vulnerable:
|
Release NotesThe multi/http/confluence_widget_connector exploit module has been added to the framework. This module exploits a Velocity Template Injection in Atlassian Confluence Widget Connector Macro to execute arbitrary code (CVE-2019-3396). It affects Atlassian Confluence versions 6.0.0 before 6.6.12, |
|
Awesome! Thanks, guys! |
gdavidson-r7
added
the
rn-modules
Description
This module exploits a Velocity Template Injection in Atlassian Confluence Widget Connector Macro before 6.14.2 to execute arbitrary code (CVE-2019-3396). No authentication is required to exploit this vulnerability.
The vulnerability exists in the Widget Connector Macro which allow inject the "_template" from the outside for some services, such as Youtube, Viddler, DailyMotion, etc.
The module has been tested with on Atlassian Confluence 6.6.12, 6.8.2, 6.12.0 and 6.13.0 using Java, Windows and Linux meterpreter payload.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3396
https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html
Vulnerable Application
Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2.
Verification Steps
List the steps needed to make sure this thing works
msfconsoleuse exploit/multi/http/confluence_widget_connectorset RHOST <IP>set RPORT <PORT>set SRVHOST <HOST_IP>checkThe target is vulnerableexploitOptions
Scenario
Tested on Confluence 6.8.2 with Windows target
Tested on Confluence 6.8.2 with Java target
Tested on Confluence 6.8.2 with Linux target