Confluence Unauthorized RCE Vulnerability

Due to many enterprise environments using Confluence, and many of them exposing it to the internet, this vulnerability is incredibly useful.

There is a public POC available:https://github.com/Yt1g3r/CVE-2019-3396_EXP from which you could base other attacks.

This vulnerability is important to patch given the ease by which an attacker can exploit a Confluence server.

A vulnerability in the installed-by-default Widget Connector macro within Atlassian Confluence provides for unauthenticated remote code execution via a network-listening web service. The attacker sends crafted JSON via an HTTP POST request to the rest/tinymce/1/macro/preview endpoint, including a malicious _template variable which triggers the vulnerable server to callback to the client on an arbitrary IP address and port.

The vulnerability affects Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3, and from version 6.14.0 before 6.14.2.

A pull request for this exploit was submitted to the Metasploit Framework on 12 April 2019. The Metasploit exploit module did not work when tested against 6.13.0.

Analysis

The nature of this exploit provides a reliable exploit onto a vulnerable server, with minimal downside of detection or crashing the target. In additon, the attacker can leverage HTTPS to encrypt the exploit attempt, bypassing network intrusion detection.

Overall, I think this exploit is going to be in high use. Given the popularity of Confluence, the tendency for organizations to self-host Confluence, and the lack of downsides for an attacker to try this exploit, I think we’ll see a lot of use out of this one.