Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)

Atlassian issued an Advisory on October 4, 2023, for CVE-2023-22515, a critical severity vulnerability affecting Confluence Server and Data Center. According to the advisory, the vulnerability was initially published as a Privilege Escalation vulnerability but was later updated to a Broken Access Control Vulnerability, Atlassian has also rated the vulnerability with 10 CVSS score. On October 5, 2023, the vulnerability was included in “CISA’s Known Exploited Vulnerabilities Catalog”.
Atlassian 于 2023 年 10 月 4 日发布了针对 CVE-2023-22515 的公告,CVE-2023-22515 是一个影响 Confluence Server 和 Data Center 的严重性漏洞。根据公告,该漏洞最初发布为权限升级漏洞,但后来更新为访问控制中断漏洞,Atlassian 也将该漏洞评为 10 CVSS 分数。2023年10月5日,该漏洞被收录在《CISA已知漏洞目录》中。

Qualys Web Application Scanning released two QIDs, 150725 & 150745, to address CVE-2023-22515.
Qualys Web Application Scanning 发布了两个 QID(150725 和 150745),以解决 CVE-2023-22515。

QID 150725 was released with detection logic that detects the vulnerable version of the Confluence application based on the response to requests sent to the server. 
QID 150725 的发布带有检测逻辑,该逻辑根据对发送到服务器的请求的响应来检测 Confluence 应用程序的易受攻击版本。

QID 150745 is an intrusive detection that exploits vulnerable servers by sending requests to the vulnerable endpoint. Vulnerable and unpatched servers are flagged when application configuration alteration is confirmed. Subsequently, it verifies the accessibility of Administrator endpoints and finally leverages the same vulnerability to restore the application configuration. 
QID 150745是一种侵入式检测,它通过向易受攻击的端点发送请求来利用易受攻击的服务器。当确认应用程序配置更改时,会标记易受攻击和未修补的服务器。随后,它验证管理员端点的可访问性,并最终利用相同的漏洞来恢复应用程序配置。

About CVE-2023-22515 关于CVE-2023-22515

CVE-2023-22515 is an unauthenticated critical severity vulnerability allowing remote attackers to create unauthorized Confluence Administrator accounts and access Confluence instances. Although the vulnerability is categorized as a Broken Access Control, the initial exploitation stage requires Injection which modifies the application’s configuration, granting unrestricted access to Administrator setup endpoints. The vulnerability affects Confluence versions 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.5.0, 8.5.1 and is fixed in versions 8.3.3, 8.4.3 and 8.5.2 or later.
CVE-2023-22515 是一个未经身份验证的严重性漏洞,允许远程攻击者创建未经授权的 Confluence 管理员帐户并访问 Confluence 实例。尽管该漏洞被归类为“访问控制中断”,但初始利用阶段需要注入来修改应用程序的配置,从而授予对管理员设置端点的无限制访问权限。该漏洞影响 Confluence 版本 8.0.0、8.0.1、8.0.2、8.0.3、8.0.4、8.1.0、8.1.1、8.1.3、8.1.4、8.2.0、8.2.1、8.2.2、8.2.3、8.3.0、8.3.1、8.3.2、8.4.0、8.4.1、8.4.2、8.5.0、8.5.1,并在版本 8.3.3、8.4.3 和 8.5.2 或更高版本中修复。

Exploitation Overview 漏洞利用概述

The Exploitation chain consists of three stages:
开发链由三个阶段组成:

  • First, we modify the setup completion status of the Confluence application, thereby gaining unrestricted access to the setup administrator page.
    首先,我们修改 Confluence 应用程序的安装完成状态,从而获得对安装管理员页面的不受限制的访问。
  • Following that, we evade the Confluence application’s XSRF security token policy check, which allows us to register an attacker-controlled Administrator account.
    之后,我们规避了 Confluence 应用程序的 XSRF 安全令牌策略检查,这允许我们注册一个攻击者控制的管理员帐户。
  • Lastly, we exit the setup wizard to prevent the “setup successful” message from being displayed to all users.
    最后,我们退出安装向导,以防止向所有用户显示“安装成功”消息。

Vulnerability Analysis 漏洞分析

Stage 1: Flipping Setup Completion Status
第 1 阶段:翻转设置完成状态

The initial request is sent to server-info action with bootstrapStatusProvider.applicationConfig.setupComplete=false as the payload parameter. When we access server-info.action endpoint without authentication returns a simple response with a “success” status message.
初始请求将发送到 server-info 操作,并将 bootstrapStatusProvider.applicationConfig.setupComplete=false 作为有效负载参数。当我们在没有身份验证的情况下访问 server-info.action 端点时,会返回一个简单的响应,其中包含“成功”状态消息。

GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false
GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false

The ‘success’ response confirms that the server is operational and doesn’t expose sensitive or detailed information directly through this endpoint.
“成功”响应确认服务器正常运行,并且不会直接通过此终结点公开敏感或详细信息。

Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)

Analyzing ServerInfoAction code within the com.atlassian.confluence.core.actions package:
分析 com.atlassian.confluence.core.actions 包中的 ServerInfoAction 代码:

package com.atlassian.confluence.core.actions; import com.atlassian.annotations.security.XsrfProtectionExcluded; import com.atlassian.confluence.core.ConfluenceActionSupport; import com.atlassian.confluence.security.access.annotations.PublicAccess; import com.atlassian.xwork.HttpMethod; import com.atlassian.xwork.PermittedMethods; public class ServerInfoAction extends ConfluenceActionSupport {   @PermittedMethods({HttpMethod.ANY_METHOD})   @XsrfProtectionExcluded   @PublicAccess   public String execute() throws Exception {     return "success";   } }

The class ServerInfoAction extends the ConfluenceActionSupport class, which likely handles specific functionalities. Within this class, there’s a method named execute(). It’s designed to be invoked using any HTTP method, exempt from XSRF protection, and accessible to the public without requiring authentication. When the execute method is called, it returns the string “success” once the action was executed successfully.
ServerInfoAction 类扩展了 ConfluenceActionSupport 类,该类可能处理特定的功能。在这个类中,有一个名为 execute() 的方法。它被设计为使用任何 HTTP 方法调用,不受 XSRF 保护,并且无需身份验证即可向公众访问。调用 execute 方法时,它会在操作成功执行后返回字符串“success”。

Moving forward, we’ll examine the extended class ConfluenceActionSupport located at com.atlassian.confluence.core:
接下来,我们将检查位于 com.atlassian.confluence.core 的扩展类 ConfluenceActionSupport:

package com.atlassian.confluence.core; [..SNIP..] public class ConfluenceActionSupport extends ActionSupport implements LocaleProvider, WebInterface, MessageHolderAware { [..SNIP..]   public BootstrapStatusProvider getBootstrapStatusProvider() {     if (this.bootstrapStatusProvider == null)       this.bootstrapStatusProvider = BootstrapStatusProviderImpl.getInstance();     return this.bootstrapStatusProvider;   } [..SNIP..]

Inside the Java class ConfluenceActionSupport, we see a public method named getBootstrapStatusProvider returning an object bootstrapStatusProvider. If the bootstrapStatusProvider is null, it initializes by calling BootstrapStatusProviderImpl.getInstance(), where the getInstance() method appears to get an instance of the bootstrap status provider. Once the object bootstrapStatusProvider is created or already exists, the method returns it.
在 Java 类 ConfluenceActionSupport 中,我们看到一个名为 getBootstrapStatusProvider 的公共方法返回一个对象 bootstrapStatusProvider。如果 bootstrapStatusProvider 为 null,则通过调用 BootstrapStatusProviderImpl.getInstance() 进行初始化,其中 getInstance() 方法似乎用于获取 bootstrap 状态提供程序的实例。创建或已存在对象 bootstrapStatusProvider 后,该方法将返回该对象。

Following that, BootstrapStatusProviderImpl class at com.atlassian.confluence.impl.setup, comprises a public method named getApplicationConfig which returns the ApplicationConfiguration object.
之后,com.atlassian.confluence.impl.setup 的 BootstrapStatusProviderImpl 类包含一个名为 getApplicationConfig 的公共方法,该方法返回 ApplicationConfiguration 对象。

package com.atlassian.confluence.impl.setup; [..SNIP..] public class BootstrapStatusProviderImpl implements BootstrapStatusProvider, BootstrapManagerInternal {   private static final Supplier instance = (Supplier)Suppliers.memoize(BootstrapStatusProviderImpl::initialiseBootstrapStatusProvider); [..SNIP..]   public ApplicationConfiguration getApplicationConfig() {     return this.delegate.getApplicationConfig();   } [..SNIP..] }

Inside the getApplicationConfig method, the method call to this.delegate.getApplicationConfig(); is using delegation where getApplicationConfig() is delegating the task of fetching application configuration on another object referred to as delegate.  
在 getApplicationConfig 方法中,方法调用 this.delegate.getApplicationConfig();使用委托,其中 getApplicationConfig() 将获取应用程序配置的任务委托给另一个称为委托的对象。

ApplicationConfiguration is an interface specifying multiple methods that any class can implement. Whichever class implements this interface will define the behavior of the methods. 
ApplicationConfiguration 是一个接口,指定任何类都可以实现的多个方法。无论哪个类实现此接口,都将定义方法的行为。

public interface ApplicationConfiguration { String getApplicationHome(); void setApplicationHome(String paramString) throws ConfigurationException; boolean isApplicationHomeValid(); void setProperty(Object paramObject1, Object paramObject2); [..SNIP..]   void setBuildNumber(String paramString);   boolean isSetupComplete();   void setSetupComplete(boolean paramBoolean);  //   void setConfigurationPersister(ConfigurationPersister paramConfigurationPersister); [..SNIP..]   void setConfigurationFileName(String paramString); }

Interestingly, it does have a method named setSetupComplete expecting one parameter of type Boolean.
有趣的是,它确实有一个名为 setSetupComplete 的方法,该方法需要一个 Boolean 类型的参数。

ApplicationConfig class implements the ApplicationConfiguration interface, and we do find a synchronized method called setSetupComplete:
ApplicationConfig 类实现了 ApplicationConfiguration 接口,我们确实找到了一个名为 setSetupComplete 的同步方法:

package com.atlassian.config; [..SNIP..] public class ApplicationConfig implements ApplicationConfiguration { [..SNIP..]  public synchronized void setSetupComplete(boolean setupComplete) { this.setupComplete = setupComplete; } [..SNIP..]  }

setSetupComplete method accepts a boolean parameter named setupComplete used to set the setup completion status.
setSetupComplete 方法接受一个名为 setupComplete 的布尔参数,用于设置设置完成状态。

The setupComplete variable of the class is assigned a value supplied as the parameter. The purpose of this parameter is to define or update the setup completion status of the Confluence application. The setup process is complete when we pass true as the setupComplete parameter. When we pass false, it indicates that the setup process is incomplete.
为类的 setupComplete 变量分配一个作为参数提供的值。此参数的用途是定义或更新 Confluence 应用程序的安装完成状态。当我们将 true 作为 setupComplete 参数传递时,设置过程就完成了。当我们传递 false 时,表示设置过程未完成。

Unifying components from classes such as ConfluenceActionSupportBootstrapStatusProviderImpl, and ApplicationConfig, we can chain method calls, including getBootstrapStatusProvider()getApplicationConfig(), and setSetupComplete(), which we’ve explored thus far.
统一 ConfluenceActionSupport、BootstrapStatusProviderImpl 和 ApplicationConfig 等类的组件,我们可以链接方法调用,包括 getBootstrapStatusProvider()、getApplicationConfig() 和 setSetupComplete(),我们到目前为止已经探索过这些调用。

  • getBootstrapStatusProvider(): This method is called to obtain an instance of the BootstrapStatusProvider.
    getBootstrapStatusProvider():调用此方法以获取 BootstrapStatusProvider 的实例。
  • getApplicationConfig(): This is called on the result of getBootstrapStatusProvider(). It retrieves the ApplicationConfig object. This object manages application configuration settings, including the setupComplete status.
    getApplicationConfig():这是根据 getBootstrapStatusProvider() 的结果调用的。它检索 ApplicationConfig 对象。此对象管理应用程序配置设置,包括 setupComplete 状态。
  • setSetupComplete(): Finally, setSetupComplete() is called on the ApplicationConfig object. This method sets the setupComplete status to either true or false, indicating the setup process for the application.
    setSetupComplete():最后,在 ApplicationConfig 对象上调用 setSetupComplete()。此方法将 setupComplete 状态设置为 true 或 false,指示应用程序的安装过程。

By chaining method calls, we efficiently set the setupComplete value to false using getBootstrapStatusProvider().getApplicationConfig().setSetupComplete(false);
通过链接方法调用,我们使用 getBootstrapStatusProvider().getApplicationConfig().setSetupComplete(false) 有效地将 setupComplete 值设置为 false;

Confluence uses the XWork2 framework, which manages actions, interceptors, and parameter binding, among other things. In XWork2, HTTP parameters are used to set properties in action classes, and the framework automatically maps these parameters to setter methods based on naming conventions.
Confluence 使用 XWork2 框架,该框架管理操作、拦截器和参数绑定等。在 XWork2 中,HTTP 参数用于设置操作类中的属性,框架根据命名约定自动将这些参数映射到 setter 方法。

Due to this, we can form an HTTP parameter that enables a series of method invocations.
因此,我们可以形成一个 HTTP 参数来启用一系列方法调用。

bootstrapStatusProvider.applicationConfig.setupComplete=false

Using the payload against the server-info.action endpoint would adjust the setupComplete value to false, signifying that the setup process remains incomplete. 
对 server-info.action 端点使用有效负载会将 setupComplete 值调整为 false,表示设置过程仍未完成。

Stage 2:  Accessing setupadministrator endpoint
第 2 阶段:访问 setupadministrator 端点

After the setupComplete attribute has been updated, the expected behavior would allow us to access the setup/setup administrator.action endpoint and create an Administrator account.
更新 setupComplete 属性后,预期行为将允许我们访问 setup/setup administrator.action 端点并创建管理员帐户。

However, when we send a POST request to this endpoint, we receive a 403 Forbidden response status code and a response body containing the following message: ‘Your request could not be processed because a required security token was not present in the request. You may need to re-submit the form or reload the page.’
但是,当我们向此端点发送 POST 请求时,我们会收到 403 Forbidden 响应状态代码和包含以下消息的响应正文:“无法处理您的请求,因为请求中不存在所需的安全令牌。您可能需要重新提交表单或重新加载页面。

Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)
Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)

According to Atlassian’s Enable XSRF protection in your app guide for Confluence:
根据 Atlassian 在 Confluence 应用指南中的启用 XSRF 保护:

Scripts that access Confluence remotely may have trouble acquiring or returning a security token or maintaining an HTTP session with the server. To opt out of token checking, include the following HTTP header in the request: X-Atlassian-Token: no-check
远程访问 Confluence 的脚本可能无法获取或返回安全令牌,也无法维护与服务器的 HTTP 会话。若要选择退出令牌检查,请在请求中包含以下 HTTP 标头:X-Atlassian-Token: no-check

Concerning the above guide, including X-Atlassian-Token: no-check in the HTTP Request Headers, we trigger the same request:
关于上述指南,包括 X-Atlassian-Token: no-check in the HTTP Request Headers,我们触发相同的请求:

Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)

That worked! We have now gained unrestricted access to the endpoint, receiving a 200 status for the Configure System Administrator Account – Confluence page. All that’s left is to include the POST request body with the necessary parameters for the Administrator account.
这奏效了!现在,我们已经获得了对端点的无限制访问权,在“配置系统管理员帐户 – Confluence”页面中获得了 200 状态。剩下的就是包含 POST 请求正文以及管理员帐户的必要参数。

Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)

A 302 redirect at the /setup/finishsetup.action endpoint is a sign of a successful request.
/setup/finishsetup.action 端点上的 302 重定向是请求成功的标志。

Stage 3: Finishing Setup
第 3 阶段:完成设置

In the final step, we proceed with another POST request to the /setup/finishsetup.action endpoint, effectively exiting the setup wizard.
在最后一步中,我们继续向 /setup/finishsetup.action 端点发出另一个 POST 请求,从而有效地退出安装向导。

Logging in as Administrator coldfx
以管理员身份登录 coldfx

Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)

Detecting the Vulnerability with Qualys WAS
使用 Qualys WAS 检测漏洞

When this vulnerability was disclosed, Atlassian Security Advisory mentioned this as a Privilege Escalation Vulnerability. Following that, Qualys WAS had released the following QID:
当此漏洞被披露时,Atlassian 安全公告将其称为权限升级漏洞。之后,Qualys WAS发布了以下QID:

150725: Atlassian Confluence Server and Data Center Privilege Escalation Vulnerability (CVE-2023-22515)
150725:Atlassian Confluence Server 和数据中心权限提升漏洞 (CVE-2023-22515)

However, Later Atlassian Security Advisory updated the vulnerability to a Broken Access Control Vulnerability. Thereafter, Qualys WAS has also updated the QID title. 
但是,后来的 Atlassian 安全公告将该漏洞更新为访问控制中断漏洞。此后,Qualys WAS也更新了QID标题。

Customers can detect this vulnerability on the target Confluence application using QIDs: 
客户可以使用 QID 在目标 Confluence 应用程序上检测到此漏洞:

Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)
150725: Atlassian Confluence Server and Data Center Broken Access Control Vulnerability
150725:Atlassian Confluence Server 和 Data Center 访问控制漏洞

(CVE-2023-22515) (CVE-2023-22515)
Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)
150745: Atlassian Confluence Server and Data Center Broken Access Control Vulnerability
150745:Atlassian Confluence Server 和 Data Center 访问控制中断漏洞

(CVE-2023-22515) (Exploitation Check)
(CVE-2023-22515)(漏洞利用检查)

Qualys WAS Report Qualys WAS 报告

Once the vulnerability is successfully detected, users shall see similar results in the vulnerability scan report for both the QIDs:
成功检测到漏洞后,用户将在两个 QID 的漏洞扫描报告中看到类似的结果:

Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)
QID 150725 – Vulnerability Scan Report
QID 150725 – 漏洞扫描报告
Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)
QID 150745 – Vulnerability Scan Report
QID 150745 – 漏洞扫描报告

Solution & Mitigation 解决方案和缓解措施

Due to the Vulnerability marked as Critical Severity and highlighted as CISA’s Known Exploited Vulnerabilities, organizations using the confluence application are strongly advised to upgrade to version 8.3.3, 8.4.3, 8.5.2, or later releases to remediate CVE-2023-22515 vulnerability. 
由于该漏洞标记为严重性并突出显示为 CISA 的已知利用漏洞,因此强烈建议使用 confluence 应用程序的组织升级到版本 8.3.3、8.4.3、8.5.2 或更高版本,以修复 CVE-2023-22515 漏洞。

For more patching and threat detection-related details, please refer to Atlassian Security Advisory.
有关修补和威胁检测相关的详细信息,请参阅 Atlassian 安全公告。

Credits 学分

Atlassian Security Advisory: https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html
Atlassian 安全公告:https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html

CVE Details: CVE 详细信息:

References 引用

 

原文始发于Mayank Deshmukh, Senior Web Application Signatures Engineer:Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515)

版权声明:admin 发表于 2023年11月17日 上午8:55。
转载请注明:Atlassian Confluence Broken Access Control Vulnerability (CVE-2023-22515) | CTF导航

相关文章

暂无评论

暂无评论...