Exploit CVE-2023–22515 to get admin access to Confluence Server and Data Center editions.
利用 CVE-2023–22515 获取对 Confluence 服务器和数据中心版本的管理员访问权限。

Introduction 介绍

On 上October 4th, 2023, Atlassian released a security advisory regarding CVE-2023–22515, a broken access control vulnerability, with an assigned CVSS score of 10.0. The vulnerability was introduced in version 8.0.0 of Confluence Server and Data Center editions and is present in versions <8.3.3, <8.4.3, <8.5.2. According to Atlassian, the vulnerability has already been exploited in the wild.
2023 年 10 月 4 日，Atlassian 发布了有关 CVE-2023–22515 的安全公告，CVE-2023–22515 是一个中断的访问控制漏洞，分配的 CVSS 分数为 10.0。该漏洞是在 Confluence Server 和数据中心版本 8.0.0 中引入的，存在于版本 <8.3.3 、 、 <8.4.3 <8.5.2 中。根据Atlassian的说法，该漏洞已经在野外被利用。

An attacker can exploit the vulnerability to create an additional account in Confluence with full administrative privileges. The attacker needs no prior information to exploit the vulnerability. The vulnerability is believed to enable other unknown attack vectors and should be patched as soon as possible.
攻击者可以利用此漏洞在 Confluence 中创建具有完全管理权限的额外帐户。攻击者不需要事先信息即可利用此漏洞。该漏洞被认为会启用其他未知攻击媒介，应尽快修补。

Starting the VM 启动虚拟机

To deploy the attached VM, press the green Start Machine button at the top of the task.
若要部署附加的 VM，请按任务顶部的绿色“启动计算机”按钮。

Your VM has a clean trial installation of the Atlassian Confluence Data Center edition running on http://MACHINE_IP:8090, which will serve as our target. The machine may take around 5 minutes to boot up.
您的 VM 在 上运行 http://MACHINE_IP:8090 了 Atlassian Confluence Data Center 版本的干净试用版，该版本将作为我们的目标。计算机可能需要大约 5 分钟才能启动。

Understanding the Vulnerability
了解漏洞

Confluence’s Initial Setup
汇流的初始设置

When running Confluence for the first time, you’ll go through the initial setup, which allows you to configure some basic parameters and create an administrative account. The initial setup can be reached by navigating to http://MACHINE_IP:8090/setup/.
首次运行 Confluence 时，您将完成初始设置，这允许您配置一些基本参数并创建管理帐户。可通过导航到 http://MACHINE_IP:8090/setup/ 来访问初始设置。

If you try to access the initial setup after you have completed it, you won’t be able to go through the setup again but will be greeted with a message stating that the setup process is already complete:
如果您在完成初始设置后尝试访问初始设置，您将无法再次完成设置，但会收到一条消息，指出设置过程已完成：

This is normal expected behaviour and would normally not be useful for an attacker at all.
这是正常的预期行为，通常对攻击者根本没有用处。

Enter CVE-2023–22515 输入CVE-2023–22515

This vulnerability allows an attacker to reenable the initial setup process. In doing so, the attacker can go through the step of creating a new administrator all over again.
此漏洞允许攻击者重新启用初始设置过程。这样，攻击者可以重新完成创建新管理员的步骤。

This is all possible because Confluence is built using the Apache Struts framework, which depends on the XWork package. XWork allows you to define Actions in the form of a Java class. Each Action can be invoked through a URL, and the corresponding Java class will handle the request, do whatever the Action requires, and emit a response.
这一切都是可能的，因为Confluence是使用Apache Struts框架构建的，该框架依赖于XWork包。XWork 允许您以 Java 类的形式定义 Actions。每个 Action 都可以通过 URL 调用，相应的 Java 类将处理请求，执行 Action 需要的任何操作，并发出响应。

To clarify how Actions work, navigate to http://MACHINE_IP:8090/. You should immediately be redirected to http://MACHINE_IP:8090/login.action. This URL calls an Action bound to a Java class to handle login attempts. When an Action is invoked through its URL, the execute() method of the class will be called by default.
要阐明操作的工作原理，请导航到 http://MACHINE_IP:8090/ 。您应立即被重定向至 http://MACHINE_IP:8090/login.action 。此 URL 调用绑定到 Java 类的操作来处理登录尝试。当通过其 URL 调用 Action 时， execute() 默认情况下将调用该类的方法。

Calling Getters/Setters via XWorks
通过 XWorks 调用 getter/setter

We can also call getters and setters in Action classes by using a URL specifying an HTTP parameter with the chain of attributes we want to get/set. As an example, if the login Action class had a setId() method, we could invoke it via the following URL:
我们还可以在 Action 类中调用 getter 和 setter，方法是使用 URL 指定一个 HTTP 参数以及我们想要获取/设置的属性链。例如，如果登录 Action 类有一个 setId() 方法，我们可以通过以下 URL 调用它：

http://MACHINE_IP:8090/login.action?Id=123

This would execute setId('123') as defined in the corresponding Action class.
这将 setId('123') 按照相应 Action 类中的定义执行。

Chaining Getters/Setters to Reenable the Initial Setup
链接固定器/设置器以重新启用初始设置

The reported exploit takes advantage of the ServerInfoAction Action. The reason for picking this specific Action is that we can build a chain of getters/setters from it to set the configuration parameter that turns the initial setup on or off.
报告的漏洞利用了该 ServerInfoAction 操作。选择此特定操作的原因是，我们可以从中构建一个 getter/setter 链，以设置打开或关闭初始设置的配置参数。

If you analyse the code of the ServerInfoAction class, you’ll see it extends the ConfluenceActionSupport class. By doing so, it will inherit all of its methods as well. One such method is a getter that returns a BootstrapStatusProvider object:
如果你分析类的代码，你会看到它扩展了 ServerInfoAction ConfluenceActionSupport 类。通过这样做，它也将继承其所有方法。一个这样的方法是返回对象的 BootstrapStatusProvider getter：

public class ConfluenceActionSupport extends ActionSupport implements LocaleProvider, WebInterface, MessageHolderAware {
  public BootstrapStatusProvider getBootstrapStatusProvider() {
    if (this.bootstrapStatusProvider == null)
      this.bootstrapStatusProvider = BootstrapStatusProviderImpl.getInstance(); 
    return this.bootstrapStatusProvider;
  }
}

We care about the BootstrapStatusProvider class because it has another getter method we can use to retrieve an ApplicationConfiguration object:
我们关心这个类， BootstrapStatusProvider 因为它有另一个可以用来检索 ApplicationConfiguration 对象的 getter 方法：

public class BootstrapStatusProviderImpl implements BootstrapStatusProvider, BootstrapManagerInternal {
  public ApplicationConfiguration getApplicationConfig() {
    return this.delegate.getApplicationConfig();
  }
}

As you have probably guessed by now, this object contains the application’s configuration, including an attribute that tells Confluence if the initial setup has been finished. Such attribute can be modified by using a setter in the ApplicationConfig class:
正如您现在可能已经猜到的那样，此对象包含应用程序的配置，包括一个属性，该属性告诉 Confluence 初始设置是否已完成。可以通过在 ApplicationConfig 类中使用 setter 来修改此类属性：

public class ApplicationConfig implements ApplicationConfiguration {
  public synchronized void setSetupComplete(boolean setupComplete) {
    this.setupComplete = setupComplete;
  }  
}

If we call setSetupComplete(false), we will effectively reenable the initial setup. Putting it all together, we can call that chain of getters/setters by accessing the following URL:
如果我们调用 setSetupComplete(false) ，我们将有效地重新启用初始设置。综上所述，我们可以通过访问以下 URL 来调用该 getter/setter 链：

http://MACHINE_IP:8090/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false

This will be effectively translated by XWork into a call to:
XWork将有效地将其转化为对以下人员的呼吁：

getBootstrapStatusProvider().getApplicationConfig().setSetupComplete(false)

Now, go to your browser and navigate to the crafted URL to trigger the vulnerability. You should get the following response from the server:
现在，转到浏览器并导航到构建的 URL 以触发漏洞。您应该从服务器收到以下响应：

Creating an Admin Account
创建管理员帐户

Now that we can access the initial setup once again, let’s browse to:
现在我们可以再次访问初始设置，让我们浏览到：

http://MACHINE_IP:8090/setup/setupadministrator-start.action

Fill in the details of your new admin user and click next:
填写新管理员用户的详细信息，然后单击下一步：

If all goes well, you should get access to Confluence with administrative privileges!
如果一切顺利，您应该可以使用管理权限访问Confluence！

In this task, we have gone through a quick explanation of the vulnerability. If you want a more in-depth look at the technical details, check Rapid7 analysis in attackerKB.
在此任务中，我们对漏洞进行了快速解释。如果您想更深入地了解技术细节，请查看攻击者知识库中的 Rapid7 分析。

Questions: 问题：

Log into Confluence with your new credentials. What is the value of the flag posted by admin?
使用您的新凭据登录 Confluence。管理员发布的标志的价值是多少？

THM{who_needs_keys_anyway}

Automating Exploitation 自动化开发

As we have seen, exploiting the vulnerability is relatively straightforward and can be done manually using a single request and a regular browser. Even so, automated exploits are readily available.
如我们所见，利用该漏洞相对简单，可以使用单个请求和常规浏览器手动完成。即便如此，自动漏洞利用还是很容易获得的。

Chocapikk developed one such exploit, which can be downloaded from here. Feel free to download and use the exploit against the target machine!
Chocapikk开发了一个这样的漏洞，可以从这里下载。随意下载并使用针对目标计算机的漏洞利用！

On the other hand, if you need to test many servers to see if they are vulnerable, a simple vulnerability scanner was developed by ErikWynter. It can be obtained from his GitHub page. Unlike Chocapikk’s script, this one will not exploit the vulnerability but test for it only.
另一方面，如果您需要测试许多服务器以查看它们是否易受攻击，ErikWynter开发了一个简单的漏洞扫描程序。它可以从他的GitHub页面获得。与Chocapikk的脚本不同，这个脚本不会利用该漏洞，而只会对其进行测试。

Questions: 问题：

Read Chocapikk’s script. What is the name of the Confluence user it creates?
阅读乔卡皮克的剧本。它创建的 Confluence 用户的名称是什么？

pleasepatch 请补丁

Detection and Patching 检测和修补

Detection 检波

Should you have an instance of a vulnerable version of Confluence, be sure to check for the following:
如果您有易受攻击的 Confluence 版本的实例，请务必检查以下内容：

• Network access logs pointing to /setup/*.action. There’s no reason for a regular user to request such URLs after installation.
  指向 的网络 /setup/*.action 访问日志。普通用户没有理由在安装后请求此类 URL。
• Network access logs to /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false.
  的网络 /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false 访问日志。
• Review your Confluence users and look for suspicious accounts and members of the confluence-administrators group.
  查看您的 Confluence 用户并查找可疑帐户和 confluence-administrators 组成员。

Patching 修补

All vulnerable instances should be upgraded to at least one of the following versions as soon as possible:
所有易受攻击的实例应尽快升级到以下版本的至少一个：

• 8.3.3
• 8.4.3
• 8.5.2

If upgrading is not possible immediately, access to the /setup/* endpoints may be blocked as a temporary measure. To do so, add the following security constraint inside the <web-app> tag in /<confluence-install-dir>/confluence/WEB-INF/web.xml:
如果无法立即升级，则可能会阻止对 /setup/* 终结点的访问作为临时措施。为此，请在 中的 <web-app> /<confluence-install-dir>/confluence/WEB-INF/web.xml 标记内添加以下安全约束：

<security-constraint>
  <web-resource-collection>
    <url-pattern>/setup/*</url-pattern>
    <http-method-omission>*</http-method-omission>
  </web-resource-collection>
  <auth-constraint />
</security-constraint>

This will effectively restrict the access to /setup/*.
这将有效地限制对 /setup/* 的访问。

Remember that the mitigation instructions shouldn’t be considered a definitive patch but only an interim measure. Servers should still be upgraded as soon as it becomes possible.
请记住，缓解说明不应被视为最终补丁，而只是临时措施。服务器仍应尽快升级。

Questions: 问题：

Is Confluence Server version 8.2.0 vulnerable to CVE-2023–22515? (yea/nay)
Confluence Server 版本 8.2.0 是否容易受到 CVE-2023–22515 的攻击？（是/否）

yea 是的

Does applying mitigation actions replace the need to upgrade Confluence? (yea/nay)
应用缓解措施是否会取代升级 Confluence 的需求？（是/否）

nay 现在

Conclusion 结论

In this room, we have analysed a broken access control vulnerability in Atlassian Confluence Server and Data Center that allows attackers to create a new administrator in the vulnerable application. As we have seen, exploiting the vulnerability is trivial, making it imperative to patch Confluence servers as soon as possible. The vulnerability has been fixed in versions 8.3.3, 8.4.3 and 8.5.2. Any newer version branches should be safe as well.
在这个房间里，我们分析了 Atlassian Confluence Server 和数据中心中一个中断的访问控制漏洞，该漏洞允许攻击者在易受攻击的应用程序中创建新的管理员。正如我们所看到的，利用该漏洞是微不足道的，因此必须尽快修补Confluence服务器。该漏洞已在版本 和 8.4.3 8.5.2 中 8.3.3 修复。任何较新版本的分支也应该是安全的。

Since the vulnerability was found to be exploited in the wild, checking our servers for indicators of compromise is also important. Remember that the vulnerability has been likely used by a nation-state actor, as confirmed by Atlassian in the original security advisory.
由于发现该漏洞在野外被利用，因此检查我们的服务器是否存在入侵指标也很重要。请记住，正如 Atlassian 在原始安全公告中确认的那样，该漏洞可能已被民族国家行为者使用。

原文始发于YUVRAJ SINGH：Confluence CVE-2023–22515