Privilege Escalation Vulnerability in Confluence Data Center and Server [CVE-2023-22515]

We discussed this vulnerability during Episode 219 on 20 October 2023

An interesting vulnerability was found in confluence that allowed for calling semi-arbitrary methods chains on the Action class being executed. This reminds me a bit of deserialization attacks, but in this case you’ve got the Xwork2 framework providing a SafeParametersInterceptor class. This class is responsible for translating parameters from the request URL into Setter calls. So for example a URL parameter like example.test=hello would let to a call of the following method chain on the handling Action class. .getExample().setTest("hello").

Giving an unauthenticated attacker the ability to cause somewhat arbitrary method calls. Similar to a deserialization attack where you’re trying to find the right object to instantiate, in this case you need to find the right type of method to instantiate, perhaps chain of methods to dig your way up through the classes available and to some interesting primitive. In this case this was exploited by setting the following URL parameter: ?bootstrapStatusProvider.applicationConfig.setupComplete=false the resulting method chain ends up calling into the application’s configuration to call setSetupComplete(false) reenabling access to the setup functionality of the application. Which unsurprisingly gives some fairly powerful functionality, allowing an attacker to create a new administrative user.