Security research

From bypass to breach: how to get RCE in Confluence's latest CVEs

Publisher
Pentest-Tools.com
Updated at
exploit CVE-2023-22518 and CVE-2023-22515

When a CVE - or two - start trending, every pentester instantly asks these three questions:

Why does this happen?

How does it happen?

How do I exploit it? 

I’m gonna help you get the answers you need by demonstrating how to go beyond authentication bypass and achieve RCE using CVE-2023-22515 and CVE-2023-22518.

Together we’ll explore their root causes and how to demonstrate the risk involved if an attacker uses these CVEs successfully.

Let's jump right in!

Authentication Bypass in Atlassian Confluence (CVE-2023-22515)

The first CVE we'll examine is CVE-2023-22515. This is a Broken Access Control vulnerability that affects Confluence Data Center and Server instances, with a 9.8 CVSS score. Because it’s a particularly nasty security issue, CISA also added to their Known Exploited Vulnerabilities Catalog. 

The root cause of this vulnerability is an access path that doesn’t have authentication checks. An attacker can access the /server-info.action path, which requires no authentication, to put the application in Setup Mode. In this mode, the attacker can create an admin user with no authentication requirements.

Let’s see how this works in practice. 

How to exploit CVE-2023-22515

We have a vulnerable Confluence instance that we used when we developed the Sniper module for this CVE.

As you can see, we are logged in as admin, and there are a lot of other accounts as well.

There’s no demo user, so we’ll try to create it.

add new user in Confluence

First, we need to put the app in setup mode, and we do this by performing a request to the /server-info.action path with the bootstrapStatusProvider.applicationConfig.setupComplete parameter set to false.

This tricks the app into thinking the setup is not finished yet, which allows us to create a new account, with admin privileges - without being authenticated.

Burp requestNow that we have the app in setup mode, let's access the /setup/setupadministrator-start.action endpoint.

Here, we’re prompted with a form, which allows us to create a new user.

new Atlassian user configurationNow we’re authenticated, so let's check our profile data. As you can see, we are logged in with the credentials we put in earlier.

people directory in ConfluenceUsing the freshly made account, the attacker can log in and perform any action on the server as an admin. 

This compromises the confidentiality, integrity, and availability of the Confluence instance. 

Using this vulnerability an attacker can achieve Remote Code Execution

We’ll see exactly how to get to this point in the second part of this article, as the process is identical for the next vulnerability.

Improper Authorization Vulnerability in Confluence Data Center and Server (CVE-2023-22518)

The second security issue we’re dissecting is CVE-2023-22518, another critical vulnerability in the Atlassian Confluence Data Center and Server. It’s also part of CISA's Known Exploited Vulnerabilities Catalog and has a 9.1 CVSS score.

The root cause of this vulnerability is an access path that doesn't have authentication checks either. 

An attacker can access the /json/setup-restore.action path, which requires no authentication

A bad actor can use this endpoint to upload a restored zip file, which will overwrite the site's data with the data from the provided zip file. 

This way, the attacker can upload an especially crafted zip file that contains an admin user with a known password - and achieve authentication on the target as admin.

How to exploit CVE-2023-22518

To exploit this vulnerability, we need to get a zip file with known users in it. 

As a pentester, you can easily do this by going to Administration  > General Configuration > Backup and restore and generate an archive here.

add new user in ConfluenceWith this zip file, let's go to our second Confluence instance. 

As you can see, this is a cleaner instance, with only one admin user. But things are about to change… 

Confluence all people displayedLet's go to Burp and send a request that will restore the second instance using the data we got from the first instance.

Let’s make a request to the /json/setup-restore.action endpoint with the synchronous parameter set to true

The request also contains the data from the zip file in our request.

Burp requestLooks like the restore is done and we can log in as demo

Now let's try to get RCE. 

We can achieve this by using our admin privileges to install ScriptRunner. ScriptRunner is a paid app, but we can get a free trial license for it, as 30 days are enough for our goal. 

ScriptRunner for Confluence installedNow, we can execute any OS bash command using the template you can see in the screenshot below.

OS bash commandLet's use a Pentest-tools.com HTTP Logger and see if we can successfully execute a curl command to exfiltrate some data from the target. 

We created the handler, and now let's perform a post request containing the data from /etc/passwd to it.

Looks like it worked and we got the data on the handler! 💪

ScriptRunner outputLet's discuss the risk this vulnerability introduces. 

The good news is that, if you're compromised, the attacker can’t access any confidential data. The bad news is that neither can you.

The vulnerability can allow an unauthenticated attacker with network access to the Confluence Instance to restore it and eventually execute arbitrary system commands.

At Pentest-tools.com we have integrated both detection and exploitation capabilities for these vulnerabilities if you choose to use our Network Scanner and Sniper Auto-Exploiter.

I hope you found this article useful and learned something insightful about these high-risk CVEs!

If you want to see this article as a video PoC, here it is: 

How to get RCE in Confluence’s latest CVEs - 𝗖𝗩𝗘-𝟮𝟬𝟮𝟯-𝟮𝟮𝟱𝟭𝟱 & 𝗖𝗩𝗘-𝟮𝟬𝟮𝟯-𝟮𝟮𝟱𝟭𝟴

For which other vulnerabilities would you like me to demonstrate the exploitation process? Let me know in a comment on the video above. 

Get fresh security research

In your inbox. (No fluff. Actionable stuff only.)

I can see your vulns image

Related articles

Suggested articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account

Footer

© 2013-2024 Pentest-Tools.com

Pentest-Tools.com has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn!

Pentest-Tools.com has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge

Pentest-Tools.com recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo

Pentest-Tools.com is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.