Confluence CVE-2021-26084 Velocity模板二次注入

Confluence CVE-2021-26084 是前台能够触发的RCE,CVSS9.8,危害不小。漏洞原因是因为Velocity 写得有问题导致可以Ognl注入,这种模板问题导致的漏洞挺少见,但是很适用,值得分析。

0x01 环境搭建

P🐮的Vulhub 有镜像,参考【2】,同样调试接口没有开出来,可以参考之前的《Confluence CVE-2022-26134 OGNL 分析》一文搭建环境。

  1. 新建Dockerfile

    1
    2
    FROM vulhub/confluence:7.4.10
    RUN sed "67 iCATALINA_OPTS=\"-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 \$\{CATALINA_OPTS\}\"" -i /opt/atlassian/confluence/bin/setenv.sh

  2. 更新docker-compose.yml

    1
    2
    3
    4
    build: .
    ports:
      - "8090:8090"
      - "5005:5005"

0x02 漏洞复现

参考【1】中Lotso师傅给的几个patch

  1. confluence/users/user-dark-features.vm

    value='$!action.featureKey' => value=featureKey

    7.12.4版本已经对该文件进行了更改

  2. confluence/login.vm

    value='$!action.token' => value=token

    7.12.4版本已经对该文件进行了更改

  3. confluence/pages/createpage-entervariables.vm

    1
    2
    value='$!querystring' => value=querystring
    value='$linkCreation' => value=linkCreation

  4. confluence/template/custom/content-editor.vm

    对多个input标签进行了value的替换,主要是将value中的$去掉

    "Hidden" "name='linkCreation'" "value='$isLinkCreation'" => "Hidden" "name='linkCreation'" "value=isLinkCreation"

  5. JAR文件的中templates/editor-preload-container.vm

    value='$!{action.syncRev}' => value=syncRev

以doenterpagevariables.action 为例

upload successful

0x03 原理解析

3.1 doenterpagevariables.action 调用链跟踪

顺着执行跟踪

1. doenterpagevariables.action

根据补丁消息,可以定位到createpage-entervariables.vm,对应action为doenterpagevariables

1
2
3
4
5
<action name="doenterpagevariables" class="com.atlassian.confluence.pages.actions.PageVariablesAction" method="doEnter">
    <result name="error" type="velocity">/pages/createpage-entervariables.vm</result>
    <result name="input" type="velocity">/pages/createpage-entervariables.vm</result>
    <result name="success" type="velocity">/pages/createpage.vm</result>
</action>

2. PageVariablesAction#doEnter

在PageVariablesAction#doEnter,debug打点发现未进入

此小结与整体跟踪无关,仅探讨为何未进入debug

struts2 执行流程如下,interceptors 一个个执行,如果哪一个返回了有效的result,则不会进入后续的流程了。
upload successful

执行到ConfluenceXsrfTokenInterceptor,返回了”input” result,直接进行了executeResult,因此避开了doEnter 方法。

upload successful

3. 返回 input,进行Velocity渲染 createpage-entervariables.vm

1
2
3
4
<form name="filltemplateform" method="POST" action="doenterpagevariables.action">
    #form_xsrfToken()
    #tag ("Hidden" "name='queryString'" "value='$!queryString'")
    #tag ("Hidden" "name='templateId'" "value='$pageTemplate.id'")

4. AbstractTagDirective tag子语句

渲染Tag #tag (“Hidden” “name=’queryString’” “value=’$!queryString’”)

此刻Tag 有3个子节点

upload successful

5. 第三个子节点ASTStringLiteral

第三个子节点ASTStringLiteral#value

Velocity 一文中有单独介绍ASTStringLiteral 节点,不过这里稍为复杂点,interpolate为true,需要
this.nodeTree.render(context, writer);
其nodeTree 为ASTReference

6. 子节点ASTReference#getVariableValue

进过一些列的调用,最终到执行到getVariableValue 方法,功能为从context中获取value值

6.1 InternalContextAdapterImpl & WebWorkVelocityContext
1
2
3
public Object get(String key) {
    return this.context.get(key);
}

this.context 类为OutputAwareWebWorkVelocityContext
OutputAwareWebWorkVelocityContext extends WebWorkVelocityContext

WebWorkVelocityContext 在Velocity那一便文章中有讲到

会尝试从一下context中获取

  1. context
  2. stack.findValue
  3. chainedContexts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
public Object internalGet(String key) {
    if (super.internalContainsKey(key)) {
        return super.internalGet(key);
    } else {
        if (this.stack != null) {
            Object object = this.stack.findValue(key);
            if (object != null) {
                return object;
            }
        }

        if (this.chainedContexts != null) {
            for(int index = 0; index < this.chainedContexts.length; ++index) {
                if (this.chainedContexts[index].containsKey(key)) {
                    return this.chainedContexts[index].internalGet(key);
                }
            }
        }

        return null;
    }
}

upload successful

upload successful

6.2 queryString 如何赋值的

root 为PageVariablesAction,有个queryString 属性,此刻就是post参数。

那么是如何赋值的呢?

结论是在SafeParametersInterceptor 中赋值的

upload successful

最终时通过Ognl.setValue 进行赋值的

ASTProperty.setValueBody 经过一些列的调用,最终调用AbstractCreatePageAction.setQueryString 实现赋值,具体调用栈如下

完整的调用栈如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
setQueryString:381, AbstractCreatePageAction (com.atlassian.confluence.pages.actions)
invoke0:-1, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:62, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:43, DelegatingMethodAccessorImpl (jdk.internal.reflect)
invoke:566, Method (java.lang.reflect)
invokeMethod:500, OgnlRuntime (ognl)
callAppropriateMethod:794, OgnlRuntime (ognl)
setMethodValue:946, OgnlRuntime (ognl)
setPossibleProperty:76, ObjectPropertyAccessor (ognl)
setProperty:132, ObjectPropertyAccessor (ognl)
setProperty:1613, OgnlRuntime (ognl)
setProperty:45, CompoundRootAccessor (com.opensymphony.xwork.util)
setProperty:1613, OgnlRuntime (ognl)
setValueBody:105, ASTProperty (ognl)
evaluateSetValueBody:180, SimpleNode (ognl)
setValue:230, SimpleNode (ognl)
setValue:476, Ognl (ognl)
setValue:189, OgnlUtil (com.opensymphony.xwork.util)
setValue:113, OgnlValueStack (com.opensymphony.xwork.util)
setValue:97, OgnlValueStack (com.opensymphony.xwork.util)
before:142, SafeParametersInterceptor (com.atlassian.xwork.interceptors)

7. findValue

getVariableValue 会通过OgnlValueStack.findValue 实现从stack root中获取queryString

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
findValue:137, OgnlValueStack (com.opensymphony.xwork.util)
internalGet:72, WebWorkVelocityContext (com.opensymphony.webwork.views.velocity)
get:193, AbstractContext (org.apache.velocity.context)
get:286, InternalContextAdapterImpl (org.apache.velocity.context)
getVariableValue:843, ASTReference (org.apache.velocity.runtime.parser.node)
execute:222, ASTReference (org.apache.velocity.runtime.parser.node)
render:342, ASTReference (org.apache.velocity.runtime.parser.node)
render:336, SimpleNode (org.apache.velocity.runtime.parser.node)
value:290, ASTStringLiteral (org.apache.velocity.runtime.parser.node)
putProperty:370, AbstractTagDirective (com.opensymphony.webwork.views.velocity)
createPropertyMap:240, AbstractTagDirective (com.opensymphony.webwork.views.velocity)
applyAttributes:394, AbstractTagDirective (com.opensymphony.webwork.views.velocity)
render:111, AbstractTagDirective (com.opensymphony.webwork.views.velocity)
render:175, ASTDirective (org.apache.velocity.runtime.parser.node)
render:72, ASTBlock (org.apache.velocity.runtime.parser.node)
getRenderedTagBody:179, ApplyDecoratorDirective (com.atlassian.confluence.setup.velocity)
render:154, ApplyDecoratorDirective (com.atlassian.confluence.setup.velocity)
render:175, ASTDirective (org.apache.velocity.runtime.parser.node)
render:336, SimpleNode (org.apache.velocity.runtime.parser.node)
merge:328, Template (org.apache.velocity)

8. setValue & setName

AbstractUITag

9. 二次findValue

但是是如何解析的呢?答案在AbstractUITag#evaluateParams

1
2
3
4
5
6
7
8
9
10
evaluateParams:378, AbstractUITag (com.opensymphony.webwork.views.jsp.ui)
doEndTag:213, AbstractUITag (com.opensymphony.webwork.views.jsp.ui)
processTag:349, AbstractTagDirective (com.opensymphony.webwork.views.velocity)
render:122, AbstractTagDirective (com.opensymphony.webwork.views.velocity)
render:175, ASTDirective (org.apache.velocity.runtime.parser.node)
render:72, ASTBlock (org.apache.velocity.runtime.parser.node)
getRenderedTagBody:179, ApplyDecoratorDirective (com.atlassian.confluence.setup.velocity)
render:154, ApplyDecoratorDirective (com.atlassian.confluence.setup.velocity)
render:175, ASTDirective (org.apache.velocity.runtime.parser.node)
render:336, SimpleNode (org.apache.velocity.runtime.parser.node)

3.2 createpage.action 利用链

createpage 与以上类似,只不过需要登录

  1. content-editor.vm
1
2
3
4
5
        #tag ("Hidden" "name='queryString'" "value='$!queryString'")
        #tag ("Hidden" "name='fromPageId'" "value='$fromPageId'")
        #tag ("Hidden" "name='spaceKey'" "value=spaceKey")
...
        #tag ("Hidden" "name='linkCreation'" "value='$isLinkCreation'")

7.4.10版本,可以看到有几处可以触发

  1. CreatePageAction

createpage.vm – createpage-form.vm – content-editor.vm

1
2
3
4
5
6
<action name="createpage" class="com.atlassian.confluence.pages.actions.CreatePageEntryAction" method="doDefault">
    <interceptor-ref name="defaultStack"/>
    <result name="error" type="velocity">/pages/createpage.vm</result>
    <result name="input" type="velocity">/pages/createpage.vm</result>
    ...
</action>

其他与以上都类似,poc如下

upload successful

0x04 扩展思考

4.1 Confluence 的账号权限逻辑

4.1.1 登录

上文中的doenterpagevariables.action 无需登录,createpage.action需要。Confluence 是如何实现的呢?

这些其实是struts2 的基础架构知识,之前没理过,现在理一遍。

以createpage.action为例

  1. defaultStack

    在xwork.xml struts2配置文件中,可以找到createpage action 对应的interceptors 为defaultStack

1
2
<action name="createpage" class="com.atlassian.confluence.pages.actions.CreatePageEntryAction" method="doDefault">
    <interceptor-ref name="defaultStack"/>

  1. interceptors

    defaultStack 具体包含一下interceptors

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
0 = {XWorkProfilingInterceptor@44739} 
1 = {SecurityHeadersInterceptor@44747} 
2 = {SetupIncompleteInterceptor@44748} 
3 = {ConfluenceXWorkTransactionInterceptor@44724} 
4 = {SafeParametersInterceptor@44714} 
5 = {ConfluenceAutowireInterceptor@44749} 
6 = {LastModifiedInterceptor@44750} 
7 = {ServletConfigInterceptor@44751} 
8 = {FlashScopeInterceptor@44752} 
9 = {ConfluenceAccessInterceptor@44753} 
10 = {SpaceAwareInterceptor@44754} 
11 = {PageAwareInterceptor@44755} 
12 = {CommentAwareInterceptor@44756} 
13 = {UserAwareInterceptor@44757} 
14 = {PrepareInterceptor@44758} 
15 = {BootstrapAwareInterceptor@44759} 
16 = {PermissionCheckInterceptor@44760} 
17 = {ThemeContextInterceptor@44761} 
18 = {WebSudoInterceptor@44762} 
19 = {HttpMethodValidationInterceptor@44763} 
20 = {CancellingInterceptor@44764} 
21 = {LoggingContextInterceptor@44765} 
22 = {EventPublisherInterceptor@44766} 
23 = {MessageHolderInterceptor@44767} 
24 = {HttpRequestStatsInterceptor@44768} 
25 = {ConfluenceLicenseInterceptor@44769} 
26 = {ConfluenceXsrfTokenInterceptor@44770} 
27 = {XWorkProfilingInterceptor@44771}
  1. DefaultActionInvocation#invoke

DefaultActionInvocation#invoke 会按顺序调用以上interceptor#invoke,直至有有效的result

  1. PageAwareInterceptor

当执行至PageAwareInterceptor,会判断是否登录、检验权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
public String intercept(ActionInvocation actionInvocation) throws Exception {
    Ticker ignored = Timers.start("PageAwareInterceptor.intercept()");
    Throwable var3 = null;

    try {
        Action action = actionInvocation.getAction();
        if (!(action instanceof PageAware)) {
            String var23 = actionInvocation.invoke();
            return var23;
        } else {
            PageAware pageAware = (PageAware)action;
            Result result = ((PageAwareHelper)this.helperRef.get()).configure(pageAware, ServletActionContext.getRequest(), this::getParameter);
            String var7;
            switch(result) {
            case NOT_PERMITTED:
                var7 = "notpermitted";
                return var7;
            case PAGE_NOT_PERMITTED:
                var7 = "pagenotpermitted";
                return var7;
            case PAGE_NOT_FOUND:
                var7 = "pagenotfound";
                return var7;
            case READ_ONLY:
                var7 = "readonly";
                return var7;
  1. pagenotpermitted result

pagenotpermitted result 对应ActionChainResult

1
2
3
<result name="pagenotpermitted" type="chain">
    <param name="actionName">pagenotpermitted</param>
</result>
  1. PageNotPermittedAction

ActionChainResult 会执行 pagenotpermitted的action,也即PageNotPermittedAction

1
2
3
4
5
6
7
<action name="pagenotpermitted" class="com.atlassian.confluence.pages.actions.PageNotPermittedAction">
    <result name="success" type="velocity">/pages/pagenotpermitted.vm</result>
    <result name="login" type="redirect">${loginUrl}</result>
    <result name="noEditPermission" type="redirect">${noPageEditPermissionRedirectUrl}</result>
    <result name="noSpaceEditPermission" type="redirect">${noSpaceEditPermissionRedirectUrl}</result>
    <result name="cancel" type="redirect">${targetUrlPath}</result>
</action>

之后就进入了pagenotpermitted action 的流程

  1. validatingStack
1
2
3
4
5
<package name="pages" extends="default" namespace="/pages">
    <default-interceptor-ref name="validatingStack"/>
    ...
    <action name="pagenotpermitted" class="com.atlassian.confluence.pages.actions.PageNotPermittedAction">

此时对应的interceptors 为validatingStack

之后的流程与之前类似,这里不赘述了

  1. PageNotPermittedAction

执行完interceptors,返回result login

1
2
3
4
5
6
7
@PermittedMethods({HttpMethod.ANY_METHOD})
@XsrfProtectionExcluded
public String execute() {
    boolean targetObjectIsDraft = (Boolean)this.getTargetObject().map(ContentEntityObject::isDraft).orElse(false);
    if (this.getAuthenticatedUser() == null) {
        return "login";
    } else {

进行redirect

  1. RedirectResult

RedirectResult 进行跳转响应

4.1.2 权限验证

与登录相似,同样是在PageAwareInterceptor 中进行权限验证。

1
2
3
isPermitted:17, CreatePageEntryAction (com.atlassian.confluence.pages.actions)
configure:141, PageAwareHelper (com.atlassian.confluence.impl.pages.actions)
intercept:29, PageAwareInterceptor (com.atlassian.confluence.pages.actions)

upload successful

调用CreatePageEntryAction#isPermitted 进行权限验证

后续还涉及到

  • DefaultPermissionManager
  • DefaultSpacePermissionManager

不做过多赘述

4.2 如何写出有问题的Velocity

其实归根结底,是Struct2 velocity模板二次注入的问题,在Struct2 的历史漏洞中也有出现过,留待以后Struct2 系列再总结吧。

0x05 小结

本文跟踪复现了Confluence CVE-2021-26084 这个Velocity模板二次注入漏洞,发现这是Struct2 的通用问题。包括之前分析过的Confluence CVE-2022-26134 OGNL 这一漏洞,其实也是和Struct2 特性有关。

Struct2 框架虽然不再流行,但其一系列的漏洞及修复、绕过还是很经典,一些历史的产品也可能还存在类似的问题,虽然是个难啃的知识点,但是借Confluence 这两个漏洞的契机,也准备复现分析Struct2 的历史漏洞一番。

其他的思考点

  1. Confluence的登录/角色 鉴权怎么做的,这块还没分析,有没有可操作空间
  2. poc有unicode编码,原因在ognl一节已经提到过

0x06 参考

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true