New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-22518: Confluence Auth Bypass Restore From Backup RCE #18566
CVE-2023-22518: Confluence Auth Bypass Restore From Backup RCE #18566
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jheysel-r7 for this great module! I just left a few minor comments. I also tested against Confluence version 8.5.1 and it works great!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this file needed? It doesn't seem to be loaded by this module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe these two files are required by the mixin structure, although please correct me if I'm wrong. Deleting atlassian.rb
and confluence.rb
but keeping .../atlassian/confluence/version.rb
results in:
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > reload_lib --all
[-] /Users/jheysel/rapid7/metasploit-framework/lib/msf/core/exploit/remote/http/atlassian.rb must exist and be a .rb file
[-] /Users/jheysel/rapid7/metasploit-framework/lib/msf/core/exploit/remote/http/atlassian/confluence.rb must exist and be a .rb file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this file needed?
lib/msf/core/exploit/remote/http/atlassian/confluence/version.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb
Outdated
Show resolved
Hide resolved
if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) || | ||
confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) || | ||
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) || | ||
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The advisory also says version 8.6.1
has been fixed. Should it be added to the vulnerable version range?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! The only affected version in 8.6.x
seems to be 8.6.0
so I'll just add an explicit check for that version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! The only affected version in 8.6.x
seems to be 8.6.0
so I'll just add an explicit check for that version.
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review @cdelafuente-r7!! I've pushed a couple changes.
if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) || | ||
confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) || | ||
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) || | ||
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! The only affected version in 8.6.x
seems to be 8.6.0
so I'll just add an explicit check for that version.
if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) || | ||
confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) || | ||
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) || | ||
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! The only affected version in 8.6.x
seems to be 8.6.0
so I'll just add an explicit check for that version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe these two files are required by the mixin structure, although please correct me if I'm wrong. Deleting atlassian.rb
and confluence.rb
but keeping .../atlassian/confluence/version.rb
results in:
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > reload_lib --all
[-] /Users/jheysel/rapid7/metasploit-framework/lib/msf/core/exploit/remote/http/atlassian.rb must exist and be a .rb file
[-] /Users/jheysel/rapid7/metasploit-framework/lib/msf/core/exploit/remote/http/atlassian/confluence.rb must exist and be a .rb file
Thanks for updating this @jheysel-r7. Apparently, I've tested without these files and the module seems to run fine. |
You learn something new everyday :) Thanks for your patience and taking the time to explain that @cdelafuente-r7! I've removed those two files in 5d5ccd2 |
Thanks for updating this @jheysel-r7 ! Everything looks good to me now. I tested against Confluence version 8.5.1 and verified I got a session. I'll go ahead and land it.
|
Release notesThis adds an exploit module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server. |
This PR adds a module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server.
The PR also includes a PluginPayload mixin which makes it easy to upload a metasploit .jsp payload to the server as a Confluence Plugin. The mixin work was primarily written by Stephen Fewer in his CVE-2023-22515 module and was refactored as a part of this PR.