Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to analyze the vulnerabilities of Confluence unauthorized RCE. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Seeing the official warning, the emergency response of the loophole began. The vulnerability description indicates that there is a server-side template injection vulnerability in the Widget connector in Confluence Server and Confluence data centers, which can be exploited by attackers to achieve directory traversal and remote code execution.

Confirm that the loophole is Widget Connector, download the latest version of the comparison patch, and find that there is an extra filter in com\ atlassian\ confluence\ extra\ widgetconnector\ WidgetMacro.java, which should be the most critical part of this vulnerability.

You can see

This.sanitizeFields = Collections.unmodifiableList (Arrays.asList (VelocityRenderService.TEMPLATE_PARAM))

The value of TEMPLATE_PARAM is _ template, so this is a patch to filter the external _ template parameter.

Public interface VelocityRenderService {public static final String WIDTH_PARAM = "width"; public static final String HEIGHT_PARAM = "height"; public static final String TEMPLATE_PARAM = "_ template"

I looked through the files in Widget Connector and found that TEMPLATE_PARAM is the path of the template file.

Public class FriendFeedRenderer implements WidgetRenderer {private static final String MATCH_URL = "friendfeed.com"; private static final String PATTERN = "friendfeed.com/ (\\ w +) /?"; private static final String VELOCITY_TEMPLATE = "com/atlassian/confluence/extra/widgetconnector/templates/simplejscript.vm"; private VelocityRenderService velocityRenderService;. Public String getEmbeddedHtml (String url, Map params) {params.put (VelocityRenderService.TEMPLATE_PARAM, VELOCITY_TEMPLATE); return velocityRenderService.render (getEmbedUrl (url), params);}

When loading external links, the relative template will be called to render. As above, the path of the template is generally written dead, but there are exceptions. The role of the patch also shows that someone has broken the limit and called the unexpected template, resulting in template injection.

After learning about the patches and some general guesses, start trying.

First of all, find this function, look through the official document, and find this function, you can embed some videos, documents and so on in the document.

See this, a little excited, because in the process of turning over the patch, found several parameters, url,width,height corresponds to here, that _ template is not in English. Passed in from here?

Try to insert a random Youtube video, click Preview, and grab the bag.

Try to insert the _ template parameter in params, well, there is no response..

Start debug mode, because the test inserts Youtube video, so the call is com/atlassian/confluence/extra/widgetconnector/video/YoutubeRenderer.class

Public class YoutubeRenderer implements WidgetRenderer, WidgetImagePlaceholder {private static final Pattern YOUTUBE_URL_PATTERN = Pattern.compile ("https?:// (. +\\.)? youtube.com.* (\\? v = ([^ &] +)). * $"); private final PlaceholderService placeholderService;private final String DEFAULT_YOUTUBE_TEMPLATE = "com/atlassian/confluence/extra/widgetconnector/templates/youtube.vm"; .public String getEmbedUrl (String url) {Matcher youtubeUrlMatcher = YOUTUBE_URL_PATTERN.matcher (this.verifyEmbeddedPlayerString (url)) Return youtubeUrlMatcher.matches ()? String.format ("/ / www.youtube.com/embed/%s?wmode=opaque", youtubeUrlMatcher.group (3)): null;} public boolean matches (String url) {return YOUTUBE_URL_PATTERN.matcher (this.verifyEmbeddedPlayerString (url)). Matches ();} private String verifyEmbeddedPlayerString (String url) {return! url.contains ("feature=player_embedded&")? Url: url.replace ("feature=player_embedded&", ");} public String getEmbeddedHtml (String url, Map params) {return this.velocityRenderService.render (this.getEmbedUrl (url), this.setDefaultParam (params));}

At the breakpoint under getEmbeddedHtml, getEmbedUrl is called to regularly match the url passed by the user. Since we passed a normal Youtube video, there is no problem here. Call the setDefaultParam function to process the other parameters passed in.

Private Map setDefaultParam (Map params) {String width = (String) params.get ("width"); String height = (String) params.get ("height"); if (! params.containsKey ("_ template")) {params.put ("_ template", "com/atlassian/confluence/extra/widgetconnector/templates/youtube.vm");} if (StringUtils.isEmpty (width)) {params.put ("width", "400px") } else if (StringUtils.isNumeric (width)) {params.put ("width", width.concat ("px"));} if (StringUtils.isEmpty (height)) {params.put ("height", "300px");} else if (StringUtils.isNumeric (height)) {params.put ("height", height.concat ("px");} return params;}

Take out the width adverbial clause: height to determine whether it is empty or not. If it is empty, set the default value. The key _ template parameter is here, and if the externally passed parameter does not have _ template, the default Youtube template is set. If it is passed in, it uses the incoming, that is, the AAAA is passed in successfully.

Probably flipped through the renderer in Widget Connector, most of them cannot set _ template, it is written dead directly, and there are some exceptions, such as Youtube,Viddler,DailyMotion, which can input _ template from the outside.

Transfer energy _ template, let's take a look at how to take the template and render template.

Follow up on this.velocityRenderService.render, that is. The render method in com/atlassian/confluence/extra/widgetconnector/services/DefaultVelocityRenderService.class.

Public String render (String url, Map params) {String width = String) params.get ("width"); String height = (String) params.get ("height"); String template = (String) params.get ("_ template"); if (StringUtils.isEmpty (template)) {template = "com/atlassian/confluence/extra/widgetconnector/templates/embed.vm";} if (StringUtils.isEmpty (url)) {return null;} else {Map contextMap = this.getDefaultVelocityContext (); Iterator var7 = params.entrySet (). Iterator () While (var7.hasNext ()) {Entry entry = (Entry) var7.next (); if (String) entry.getKey ()) .contentEquals ("tweetHtml")) {contextMap.put (entry.getKey (), entry.getValue ());} else {contextMap.put (entry.getKey (), GeneralUtil.htmlEncode ((String) Equals ();} contextMap.put ("urlHtml", GeneralUtil.htmlEncode (url)) If (StringUtils.isNotEmpty (width)) {contextMap.put ("width", GeneralUtil.htmlEncode (width));} else {contextMap.put ("width", "400");} if (StringUtils.isNotEmpty (height)) {contextMap.put ("height", GeneralUtil.htmlEncode (height));} else {contextMap.put ("height", "300");} return this.getRenderedTemplate (template, contextMap);}}

_ template is taken out and assigned to template, and other parameters passed in are judged and put into contextMap, and the getRenderedTemplate function is called, that is, VelocityUtils.getRenderedTemplate is called.

Protected String getRenderedTemplate (String template, Map contextMap) {return VelocityUtils.getRenderedTemplate (template, contextMap);}

Call all the way, call the chain as shown in the following figure, and go to the loadResource function that asks for the final / com/atlassian/confluence/util/velocity/ConfigurableResourceManager.class to get the template.

Here four ResourceLoader are called to fetch the template.

Com.atlassian.confluence.setup.velocity.HibernateResourceLoaderorg.apache.velocity.runtime.resource.loader.FileResourceLoaderorg.apache.velocity.runtime.resource.loader.ClasspathResourceLoadercom.atlassian.confluence.setup.velocity.DynamicPluginResourceLoader

Here we mainly look at the speed with its own FileResourceLoader adverbial clause: ClasspathResourceLoader

FileResourceLoader users will use the normalizePath function to verify the passed template path

As you can see, /.. / is filtered, so there is no way to jump to the directory.

After filtering the path, call findTemplate to find the template. You can see that a fixed path will be stitched together, which is the installation path of confluence.

Now you can use FileResourceLoader to read the files under the merge directory.

Read the attempt / WEB-INF/web.xml file, and you can see that it was successfully loaded into the file.

But this cannot jump out of the confluent directory because /.. / cannot be used.

Let's take a look at ClasspathResourceLoader.

Public InputStream getResourceStream (String name) throws ResourceNotFoundException {

InputStream result = null

If (StringUtils.isEmpty (name)) {

Throw new ResourceNotFoundException ("No template name provided")

} else {

Try {

Result = ClassUtils.getResourceAsStream (this.getClass (), name)

.

}

Follow up ClassUtils.getResourceAsStream

Public static InputStream getResourceAsStream (Class claz, String name) {while (name.startsWith ("/")) {name = name.substring (1);} ClassLoader classLoader = Thread.currentThread (). GetContextClassLoader (); InputStream result;if (classLoader = = null) {classLoader = claz.getClassLoader (); result = classLoader.getResourceAsStream (name);} else {result = classLoader.getResourceAsStream (name); if (result = null) {classLoader = claz.getClassLoader (); if (classLoader! = null) {result = classLoader.getResourceAsStream (name);} return result;}

Will jump to / org/apache/catalina/loader/WebappClassLoaderBase.class

Follow up and find that / WEB-INF/classes is concatenated, and normalize is also called to filter the incoming path..

Or you can use.. / skip one-level directory here.

Try to read.. / web.xml, and you can see that it can also be read successfully, but still can't jump out of the directory.

The version I tested here is 6.14.1, and then I tried file://,http://,https:// without success. Later, I tried to delete the cookie and found that I could still read the file. I confirmed that this vulnerability did not require permissions, but could not jump out of the directory. The emergency is stuck right here.

In the next few days, the boss said that he could jump out of the directory limit with the file:// protocol. I was surprised. I was sure I had already tried it at that time and did not succeed. After looking at the boss's screenshot, I found that I used the 6.9.0 version. I downloaded it, tried it, and found that it was really possible.

Still the problem is ClasspathResourceLoader, the steps are the same as before, to break / org/apache/catalina/loader/WebappClassLoaderBase.class 's getResourceAsStream method

After failed to splice the front / WEB-INF/classes e-magazine, proceed.

Follow up findResource, still failed to get before the function.

The key point is here, where super.findResource (name) is called, and the URL is returned, that is, the object can be obtained.

Not only that, you can also use other protocols (HTTPS,FTP, etc.) to get remote objects, which means that remote objects can be loaded.

After getting the URL object, go back to the previous getResourceAsStream, and you can see that when the returned URL is not empty

Call url.openStream () e-magazine data.

Finally, the data is obtained to render the speed.

Give it a try

As for 6.14.1 why not, catch up with the emergency, the follow-up will be synchronized with, if there are new discoveries, only the current ClassLoader is different.

6.14.1

6.9.0

The relationship between the two loaders is as follows

Now that you can load local and remote templates, you can try RCE.

With regard to speed RCE, basically, the payload comes from the issue of server template injection by intruders for 15 years, but it cannot be used in confluence, because the method will be called through velocity-htmlsafe-1.5.1.jar, with some filtering and restrictions. But you can still use reflection to execute commands.

Open a simple FTP server with python-m pyftpdlib-p 2121, save the payload as rce.vm and save it in the current directory.

Translate ftp://localhost:2121/rce.vm in the classification of _ template settings, send, and execute the command successfully.

For command echoes, you can also use reflection to construct a payload to execute the query results of ipconfig.

Vulnerability impact

According to the ZoomEye cyberspace search engine, the keyword "X-Confluence" was searched, and a total of 61856 results were obtained, mainly distributed in the United States, Germany, China and other countries.

Global distribution (non-vulnerability scope)

Distribution in China (non-vulnerability scope of influence)

Vulnerability detection

On April 4, 2019, Lab 404 released a detection PoC for this vulnerability, which can be used to detect whether Confluence is affected by the vulnerability.

On how to carry out Confluence unauthorized RCE vulnerability analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.