CVE-2023-22518: Confluence Auth Bypass Restore From Backup RCE #18566
Conversation
jheysel-r7
changed the title
There was a problem hiding this comment.
Thanks @jheysel-r7 for this great module! I just left a few minor comments. I also tested against Confluence version 8.5.1 and it works great!
There was a problem hiding this comment.
Is this file needed? It doesn't seem to be loaded by this module.
There was a problem hiding this comment.
I believe these two files are required by the mixin structure, although please correct me if I'm wrong. Deleting atlassian.rb and confluence.rb but keeping .../atlassian/confluence/version.rb results in:
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > reload_lib --all
[-] /Users/jheysel/rapid7/metasploit-framework/lib/msf/core/exploit/remote/http/atlassian.rb must exist and be a .rb file
[-] /Users/jheysel/rapid7/metasploit-framework/lib/msf/core/exploit/remote/http/atlassian/confluence.rb must exist and be a .rb file
There was a problem hiding this comment.
Is this file needed?
lib/msf/core/exploit/remote/http/atlassian/confluence/version.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/atlassian_confluence_unauth_backup.rb
Outdated
Show resolved
Hide resolved
| if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) || | ||
| confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) || | ||
| confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) || | ||
| confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) |
There was a problem hiding this comment.
The advisory also says version 8.6.1 has been fixed. Should it be added to the vulnerable version range?
There was a problem hiding this comment.
Good catch! The only affected version in 8.6.x seems to be 8.6.0 so I'll just add an explicit check for that version.
There was a problem hiding this comment.
Good catch! The only affected version in 8.6.x seems to be 8.6.0 so I'll just add an explicit check for that version.
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
There was a problem hiding this comment.
Thanks for the review @cdelafuente-r7!! I've pushed a couple changes.
| if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) || | ||
| confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) || | ||
| confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) || | ||
| confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) |
There was a problem hiding this comment.
Good catch! The only affected version in 8.6.x seems to be 8.6.0 so I'll just add an explicit check for that version.
| if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) || | ||
| confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) || | ||
| confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) || | ||
| confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) |
There was a problem hiding this comment.
Good catch! The only affected version in 8.6.x seems to be 8.6.0 so I'll just add an explicit check for that version.
There was a problem hiding this comment.
I believe these two files are required by the mixin structure, although please correct me if I'm wrong. Deleting atlassian.rb and confluence.rb but keeping .../atlassian/confluence/version.rb results in:
msf6 exploit(multi/http/atlassian_confluence_unauth_backup) > reload_lib --all
[-] /Users/jheysel/rapid7/metasploit-framework/lib/msf/core/exploit/remote/http/atlassian.rb must exist and be a .rb file
[-] /Users/jheysel/rapid7/metasploit-framework/lib/msf/core/exploit/remote/http/atlassian/confluence.rb must exist and be a .rb file
|
Thanks for updating this @jheysel-r7. Apparently, I've tested without these files and the module seems to run fine. |
|
You learn something new everyday :) Thanks for your patience and taking the time to explain that @cdelafuente-r7! I've removed those two files in 5d5ccd2 |
|
Thanks for updating this @jheysel-r7 ! Everything looks good to me now. I tested against Confluence version 8.5.1 and verified I got a session. I'll go ahead and land it.
|
cdelafuente-r7
added
the
rn-modules
Release notesThis adds an exploit module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server. |
This PR adds a module for CVE-2023-22518, an Improper Authorization vulnerability in Confluence which allows an attacker to upload and restore a .zip backup file to the server containing a known user name and password. The attacker can then login with the credentials from the backup file to gain administrative access to the server.
The PR also includes a PluginPayload mixin which makes it easy to upload a metasploit .jsp payload to the server as a Confluence Plugin. The mixin work was primarily written by Stephen Fewer in his CVE-2023-22515 module and was refactored as a part of this PR.