Early this morning, two proof of concepts popped up for this vulnerability. We remain uncertain if they are fake (personalities involved suggest not) or intentionally extremely neutered. Either way, we have had no luck reproducing this issue so far. But even though this is an ongoing effort, we did push Shodan and Confluence queries to the feed that identify the affected service. Additionally, a pcap and Suricata/Snort rules have been pushed out (although they don't necessarily capture exact exploitation, but activity that would be associated with it).
The team developed an exploit for Apache OFBiz that takes advantage of an incomplete patch for CVE-2024-32113 that continues to allow path traversal without authorization. Our variant adds 6 other paths that improperly resolve and will not be detected by signatures looking for forgotPassword endpoints.
These are technically completely different attacks (e.g. injection happens at different commands) but grouping them here to be concise. The team developed an exploit, version scanner, pcap, network signatures, and Snort/Suricata rules for the SQLi that lead to a SYSTEM shell. The systems are not widely deployed across the internet (nor should they be since this is ICS software), but we did find a handful.
This is a very straight forward unauth RCE recently disclosed by StarLabs. The team delivered an exploit, version scanner, pcap, network signatures, Snort/Shodan/GreyNoise queries, and a vulnerable docker compose. We don't yet see evidence of exploitation in the wild but with hundreds of vulnerable targets, we assume that will change.
This update added a mechanism to improve self-documentation. Updating the entire repository to use this mechanism will likely go into next week. The result, however, is that each exploit can tell you about itself.
albinolobster@mournland:~/initial-access/feed/cve-2022-26134$ ./build/cve-2022-26134_linux-arm64 -details -log-json | jq
{
"time": "2024-08-09T13:53:42.919293374-04:00",
"level": "SUCCESS",
"msg": "Implementation Details",
"AssetDetection": true,
"VersionScanner": true,
"Exploitation": true,
"Vendor": "Atlassian",
"Products": [
"Confluence Data Center",
"Confluence Server"
],
"CPE": [
"cpe:2.3:a:atlassian:confluence_data_center",
"cpe:2.3:a:atlassian:confluence_server"
],
"CVE": "CVE-2022-26134",
"Protocol": "HTTP",
"DefaultPort": 8090
}