Exploit Flare Up Against Older Altassian Confluence Vulnerability

Published: 2024-01-29. Last Updated: 2024-01-29 14:01:16 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Last October, Atlassian released a patch for CVE-2023-22515 [1]. This vulnerability allowed attackers to create new admin users in Confluence. Today, I noticed a bit a "flare up" in a specific exploit variant.

Rapid 7 published a good summary of the vulnerability [2]. As so often, the vulnerability is pretty straightforward once you see it. During the initial setup, Confluence asks the user to configure an administrator. After setup is complete, the user needs to log in using this initial administrator account to configure additional users. Using the vulnerability, an attacker can flip the "setup complete" state. No authentication is required to do so. An attacker can first enable the initial setup behavior, us it to add a new administrator account, and complete the attack by disabling the setup page to make the application appear normal for other users.

In it's blog, Rapid 7 suggests the following URL to trigger the exploit, and switch Confluence into "Setup" mode:

curl -vk http://192.168.86.50:8090/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false

The exploit we are seeing is a bit different:

GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&cache2baSyYzftjSFREWn8TtL8AKl6pM HTTP/1.1
Host: [victim IP]:8090
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
Connection: close
Accept-Encoding: gzip

Aside from using "0" instead of "False" (which is equivalent), the attacker also adds the "cache..." string at the end. This may be to avoid retrieving cached responses and to ensure the attack string will reach the vulnerable server. Without this string, the attacker may just receive the response from an earlier attack attempt and not the actual server response. The "cache" string is constant and not randomized between requests, which caused this attack to show up in our "First Seen" list again.

This attack version originates mostly from 206.188.196.230, The server hosted in the is likely compromised. It has been scanning since yesterday, and it is also hosting a known phishing website. 

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)
ISC Stormcast For Monday, January 29th, 2024 https://isc.sans.edu/podcastdetail/8828

Comments


Diary Archives