Join GitHub today
Atlassian Confluence RCE exploit (CVE-2019-3396) #11717
This module exploits a Velocity Template Injection in Atlassian Confluence Widget Connector Macro before 6.14.2 to execute arbitrary code (CVE-2019-3396). No authentication is required to exploit this vulnerability.
The vulnerability exists in the Widget Connector Macro which allow inject the "_template" from the outside for some services, such as Youtube, Viddler, DailyMotion, etc.
The module has been tested with on Atlassian Confluence 6.6.12, 6.8.2, 6.12.0 and 6.13.0 using Java, Windows and Linux meterpreter payload.
Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2.
List the steps needed to make sure this thing works
Tested on Confluence 6.8.2 with Windows target
Tested on Confluence 6.8.2 with Java target
Tested on Confluence 6.8.2 with Linux target
referenced this pull request
Apr 12, 2019
Hi @rrockru, thanks for the module!
I've set up fresh Confluence test environments in both Linux (Ubuntu Desktop 16.04.6 LTS x64) and Windows (Win10 x64), but am having trouble getting the check or exploit methods to succeed. Let me walk through my steps and you can tell me where I'm going wrong.
Note the final few lines include a
Looking at the packet capture, I see no attempt for the Confluence target to reach back to the attacker via the specified port 8021:
A few questions:
Thanks again for the module! I'm looking forward to landing it!
Hi @asoto-r7 . After analyzing problem I found that servers that I used to check are use Confluence based on Tomcat 8.0. It's strange, because fresh install of Confluence based on Tomcat 9.0 and I have same problem with exploitation. Also I found that Tomcat was updated with Confulence version 6.10. I will try to bypass that limitation. But it seems that presently exploit works only before Confulence v6.10.
@haydar68 : The exploit has not yet been integrated into the Framework, and there will be a delay before you'll see it in Kali. This forum is for development and contributor efforts only, but feel free to reach out to us on the Metasploit Slack and we'll walk you through getting it set up in advance:
@rrockru: Thanks for the feedback. There are a few things I'd like to see; not all of these are required before we can land the module. I'll keep working on this myself as well, but feel free to knock any of these out as well.
It would be nice to:
We definitely need to:
EDIT: I was able to fix the
A few bugs I'm working through....
Misleading "connection timed out" messages
When a target refuses the connection (e.g. when specifying an invalid RPORT), the exploit reports that the connection timed out, which is unexpected:
@asoto-r7 Thanks for your fixes. I'll use your recommendations in the future.
Right now I try to determine what the problem. I see that vulnerability triggers on Confluence 6.12 and above, but in the logs I see some problem with fetching resource from the URL. It's behaviour is the same for FTP and HTTPS resources. After some research I found that Tomcat's ParallelWebappClassLoader class unable to find resource by url using WebappClassLoaderBase's function findResource(). This function always returns null.
Finally found the problem, as i think. In
Awesome. Thanks @rrockru for the follow up explanation. Supposedly later versions are vulnerable, but they may not be exploitable. In any event, let's get this landed.
According to the CVE, this affects Confluence versions:
In my testing, the exploit works reliably and stably against:
Exploit failed gracefully on non-vulnerable versions. The check says not exploitable and the exploit fails gracefully.
Exploit fails on some versions that should be vulnerable. The check says not exploitable and the exploit fails gracefully, but it should be vulnerable:
Apr 18, 2019
The multi/http/confluence_widget_connector exploit module has been added to the framework. This module exploits a Velocity Template Injection in Atlassian Confluence Widget Connector Macro to execute arbitrary code (CVE-2019-3396). It affects Atlassian Confluence versions 6.0.0 before 6.6.12,