Red Team: An Offensive Perspective on the Confluence Vulnerability (CVE-2021-26084)
The BlackBerry® Incident Response team recently covered the most common attacker tactics, techniques, and procedures (TTPs) for the recently disclosed Confluence Server and Data Center vulnerability (CVE-2021-26084) in our Blue Team defensive perspective article.
In this article, we'll examine how this vulnerability is viewed from an offensive perspective, so you can discover and properly convey the risk within your environment. (As a quick reminder: You should only test your own systems after obtaining sufficient permission!)
The techniques covered below are useful in discovering unknown systems that could be affected. If you have a known affected system, such as in the case of an active threat actor breach, we recommend checking for signs of exploit before performing any of the discovery and validation steps below.
Discovery and Identification
In an ideal world, everyone would know every asset in their environment, along with the OS and application versions for everything running. But our environments are dynamic, and employees can stand up hosts and software - such as Confluence servers - without proper approval or documentation. We will cover a few of the potential methods to discover and identify these potentially vulnerable devices.
The Confluence version can be found in multiple ways. The easiest method is to simply browse to the Confluence main page (Figure 1).
Figure 1: Version disclosure on the main page (Confluence 7.12.0)
We are not promoting any specific vulnerability scanners; however there are at least three with plugins that can be used to discover Confluence servers and check for the presence of CVE-2021-26084:
Tenable Nessus (Plugin ID: 152864)
Rapid7 - InsightVM and Nexpose customers are covered in the Aug. 26, 2021, content release
Qualys - Local check (Qualys ID: 375839) and Remote check (Qualys ID: 730172)
Qualys has also provided a description for how the plugins function. You could also script these checks if you need a low-tech, inexpensive discovery method.
The local Qualys checks for the vulnerable version of the Confluence Server searches for the presence of the following registry key:
The remote Qualys check tries two different unauthenticated methods:
1. It sends a crafted HTTP POST request to 'pages/createpage-entervariables.action' and/or 'pages/doenterpagevariables.action' to check if the target is vulnerable.
2. If the aforementioned technique doesn't work, it checks for the vulnerable version of Atlassian Confluence using a GET request to the login.action page.
To manually confirm whether the Confluence Server is vulnerable, send a POST request using curl to the /pages/createpage-entervariables.action page. The following example sends 'queryString=vulnerable' to the server. If the string is reflected in the response page, then the application is vulnerable to CVE-2021-26084 (see Figure 2).
curl -k -X $'POST' -H $'Host: 192.168.1.177:8090' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0' -H $'Accept: */*' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 22' -H $'Origin: http://192.168.1.177:8090' -H $'Connection: close' --data-binary $'queryString=vulnerable' $'http://192.168.1.177:8090/pages/createpage-entervariables.action' --trace-ascii - -s | grep query
Figure 2: Reflected response from Confluence
As of Sept. 8, 2021, a Metasploit module was available to detect and exploit vulnerable Confluence servers. To perform this, grab the latest Metasploit version that includes the 'atlassian_confluence_webwork_ognl_injection' module. Start msfconsole and use the commands below to load the exploit and to set the local and remote addresses. The default shell is a reverse bash shell, which is demonstrated in the following:
set RHOSTS set LHOST
If successful, you will gain a shell under the context of the Confluence user (Figure 3).
Figure 3: Exploitation using the Metasploit module, gaining access as the Confluence Server user
Once a shell is gained on the server, post-exploitation is limited only by the attacker's imagination. Report this finding immediately, then move to secure this host using the recommendations in the next section.
Actions to Take
After obtaining the version number of your Confluence Server or Data Center, check this list to see if you have an on-premise, affected version of the software. If you are running an affected version, the next step is to upgrade to a fixed version, if you're able to do so. If you are not able to upgrade, implement the temporary workaround supplied by Atlassian.
Finally, it's critical to check for signs of compromise on the Confluence host and surrounding environment. We listed some of the attacker techniques in the previous Blue Team defensive perspective article that should be detected if compromise has occurred.
Check the entire file system for any signs of web shells. Note that attackers can use very small web shells such as China Chopper, which can time-match itself to surrounding files to blend in and avoid detection.
Once you have confirmed the vulnerability (possibly using the methods above) and neutralized it, use the experience to convey the importance of security within your organization. There are plenty of security initiatives that can help mitigate the risk of these vulnerabilities, such as the following:
Tracking to remediation
Confirmation of remediation
Endpoint Protection (EPP) software
Endpoint Detection and Response (EDR) software
Centralized log collection and correlation
The ability to detect, mitigate, and prevent should be top of mind for all organizations.
BlackBerry Cyber Suite and BlackBerry Guard stop these attacks
If in doubt regarding any of the steps in this article, call in the experts at BlackBerry to perform a Red Team assessment or forensic analysis, or to conduct a compromise assessment. BlackBerry customers can feel confident that our AI-driven BlackBerry® Cyber Suite, as well as our Managed Detection & Response (MDR) solution BlackBerry® Guard, are well-equipped to mitigate the risks posed by these continued external-facing vulnerabilities.
Core technology includes:
Victim of an Attack?
BlackBerry® Protect provides automated malware prevention, application and script control, memory protection, and device policy enforcement.
BlackBerry® Optics extends the threat prevention by using BlackBerry Optics Context Analysis Engine (CAE) rules to provide additional telemetry. The following rules were effective at identifying exploitation of the vulnerability:
Powershell Encoded Command
One-Liner ML Module
In the unfortunate event that it is too late for prevention and you believe you have already been the victim of an attack, please contact us, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
About Tony Lee
Vice President, Global Services Technical Operations, BlackBerry
Tony Lee has more than fifteen years of professional research and consulting experience pursuing his passion in all areas of information security.
As an avid educator, Tony has instructed thousands of students at many venues worldwide, including government, universities, corporations, and conferences such as Black Hat. He takes every opportunity to share knowledge as a contributing author to Hacking Exposed 7, and is also a frequent blogger, researcher, and author of white papers on topics ranging from Citrix Security, the China Chopper Web shell, and Cisco's SYNFul Knock router implant.
Over the years, he has contributed many tools to the security community such as UnBup, Forensic Investigator Splunk app, and CyBot, the extensible Threat Intelligence Bot framework designed for anyone from a home user to a SOC analyst.
About Brent Nicorvo
Senior Manager of Professional Services Consulting (Red Team), BlackBerry.
BlackBerry Ltd. published this content on 14 September 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 14 September 2021 15:51:05 UTC.