Analysis of CVE-2023-22518 Authentication Bypass in Confluence

Securing Your Perimeter: The Power of External Pen Testing
Securing Your Perimeter: The Power of External Pen Testing
December 8, 2023
A digital lock or shield with the text "Safe to Host Certification" symbolizes security and trust.
Safe-To-Host Certificate: All You Need To Know
December 15, 2023

December 11, 2023

CVE-2023-22518 is a zero-day vulnerability found in Confluence Data Center, a self-managed solution known for providing organizations with best practices for collaboration. This vulnerability was actively exploited in the wild by the C3RB3r (Cerber) Ransomware as a Service. The attack specifically targeted organizations, affecting both Windows and Linux versions of the product. The CVE’s CVSS score is rated as critical, falling within the range of 9.1 to 10

 In this analysis, let us delve into a detailed explanation of the root cause. 

Setting up the Testing Lab

  1. Installing the necessary dependencies before p with the Confluence installation and process

`sudo apt-get update & sudo apt-get install mysql-core python’

I’ve used in the analysis Atlassian Confluence 8.0.4 which can be found here 

Installing process 

Activation

  1. To fix this issue we have to add the MySQL driver to the /opt/atlassian/confluence/confluence/WEB-INF/lib directory
  1. Restart confluence by the following command sudo /opt/attlassion/confluence/bin/startup.sh to restart the server.
  1. Configure the database by using the following syntax to create a database the users and password table
CREATE DATABASE securedb CHARACTER SET utf8mb4 COLLATE utf8mb4_bin;
CREATE USER 'admin123'@'localhost' IDENTIFIED BY 'supersecure';
GRANT ALL PRIVILEGES ON securedb.* TO 'admin123'@'localhost';
GRANT SUPER ON *.* TO 'your_username'@'your_host';
FLUSH PRIVILEGES;
  1. Then edit /etc/mysql/my.conf by adding the following line to set the default mode of transaction isolation which is a required condition to install confluence
transaction-isolation = READ-COMMITTED
log_bin_trust_function_creators = 1
  1. After restarting MySQL go to the installation page again on localhost:8090 and use the database information we created earlier

Configure the system administrator account 

  1.  And now finally confluence has been installed successfully and is ready for analysis 

Setting up the Debugging environment

I’m using IntelliJ IDEA to connect to the java debugging port    

  1. Creating remote debug with the host & port (5005)
  1. Next, load the library files located in /opt/atlassian/confluence/confluence/WEB-INF/lib
  1. To prepare Confluence for debugging mode, it is necessary to add

export JAVA_OPTS=’-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:5005 

to the following file /opt/atlassian/confluence/bin/startup.sh

Reproduce The vulnerabilities CVE-2023-22518

I’ve used this exploit to demonstrate the impact of CVE-2023-22518 which required the URL and the path of the zip file to inject an admin user with the admin privilege.

While intercepting it in the burp suite it was as shown as it is in the following picture:

It was a Post Request to the /json/setup-restore.action?synchronous=true path with  the zip file which appears it export data leading to editing the administrator group while reversing the xmlexport-200123123001.zip but appears to be a normal zip file after unzipping the file as the following

Which has attachments, plugin-data, resources, entities.xml exportdescriptor.properties

By reviewing struts.xml which exists com.atlassian.confluence_confluence_8.0.4.jar 

it indicates that the identified action class for the restore action is importexport.action.RestoreePageAction

The “RestorePage” action method was invoking the ExportDescriptor to extract the key and build number from the “exportDescriptor.properties” file, as illustrated below:

The information within “Entities.xml” comprises details like the admin username and the email [email protected]”. Exploiting the vulnerability involved leveraging the same data present in the injection account, causes an overwrite of Confluence data

I also exported the a second set of data to compare the differences between the file with the exploit and my original file by accessing user-management Backup & Restore export.

The backup was successfully generated backup and the zip was file generated 

Debugging

The breakpoint will be set in the RestoreAction.class at the validation method which is responsible to validate the restore uploaded files 

The function starts to save the file that is uploaded by using getRestoreFilefromUpload

And then getExportDescriptor is used to unzip and prepare to read the content of the zip file.

Then you can move the file confluence application to tmp directory

And get the Scope which is equal to ALL from the exportDescriptor.properties file

However, completing the process was not the root cause of the vulnerability.

Root Cause

During the debugging of the application while running the exploit, it wasn’t initially clear where the root cause occurred. However, after conducting some research on Java vulnerabilities, I identified the root cause within the configuration routing file, struts.xml

“This serves as an indicator of utilizing Apache Struts, an older framework employed in web application development. This file governs how the application manages requests, particularly URL mapping. It became evident that the ‘setup.restore’ action was accessible without authentication.”

The logic of the Authentication bypass is shown below. 

‘/Admin’ namespace extends from ‘setup’

 ‘/setup’ is considered the default namespace

‘/json’ is associated with the admin package

If a request is sent to ‘/json’, in this case, the request to ‘/json/action’ will be routed to both ‘/setup/action’ and ‘admin/action’. In this CVE, the identified vulnerable path was /‘json/setup-restore.action?synchronous=true’  which wasn’t expected from the developer to get this path even if it did not use the path the restore.services

Patch diffing

After doing patch diffing between the vulnerable version and the patched it was as the following

Fixed by adding

websudorequired which is a security feature in confluence that has been implemented to enhance the security of administrator sessions when trying to access an administrator function the system prompts you to enter the password again even if it was already logged as an additional Authentication step, systemadminonly is a feature that restricts certain administrator functionalities to the users, to make backup restoration only accessible for Administrators accounts.

Getting a Webshell 

I’ve used the webshell plugin from the following link 

By uploading the vulnerable plugin by going to > Manage apps > upload plugin

Now we can execute commands on the server as below picture through /plugins/servlet/testbin/cmServlet Path

Conclusion

during this analysis, we analyzed the root cause of CVE-2023-22518 through debugging and code review, with a focus on the Apache Struts 2 framework for the application’s routing structure. We conducted patch diffing to understand the vulnerability’s fix. Additionally, we provided an overview of how an attacker could obtain a webshell after gaining administrative access to the confluence portal.

Reference

https://blog.polyswarm.io/c3rb3r-exploiting-cve-2023-22518

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks