Atlassian Companion Update Now! PoC for CVE-2023-22524 Puts Businesses on High Alert
A recent revelation has shed light on a critical flaw within the Atlassian Companion App, an optional desktop application designed to augment the file editing experience in Confluence Data Center and Server. This vulnerability, identified as CVE-2023-22524 and rated a 9.6 on the CVSS scale, underscores the intricate challenges and risks associated with remote code execution (RCE) in modern software.
The Atlassian Companion App for MacOS, until its version 2.0.0, has been susceptible to a dangerous RCE vulnerability. This flaw enables attackers to bypass the application’s security measures, including Atlassian Companion’s blocklist and MacOS Gatekeeper, via WebSockets, paving the way for unauthorized code execution.
Ron Masas, a respected Security Researcher at Imperva, recently published the technical details and a proof-of-concept (PoC) for the CVE-2023-22524 flaw, illuminating the intricate mechanisms at play. Masas delved into the application’s source code, accessible as an Electron application, to uncover its vulnerabilities. By unpacking the app’s `asar` archive, he gained insights into its WebSocket communication protocol, which interestingly operates on port 31459 and is open to all origins.
The app’s WebSocket server uses two authentication methods: “jwt” and “server.” The “server” option, which checks the WebSocket connection’s origin against a list of trusted domains, caught Masas’ attention. He discovered that by including a “siteTitle” in the authentication message, one could manipulate the popup text that asks users to trust a domain. This manipulation could mislead users into trusting harmful domains, adding to the potential for exploitation.
Masas identified that once a domain is trusted, certain API calls become accessible, notably “launch-file-in-app” and “list-apps.” The former can download and execute a file, while the latter identifies suitable applications for a given MIME type. This capability, combined with the app’s blocklist, which only blocks files after storing them on the user’s system, opened a pathway for exploitation.
A notable aspect of the vulnerability involves the `.fileloc` file extension, a macOS shortcut file. Masas ingeniously used this to bypass the blocklist, exploiting the fact that while certain files like `.class` are blocked, they are still stored on the system. By creating a `.fileloc` that points to such a file, he achieved remote code execution.
Masas noticed that while `.html` files were blocked, similar extensions like `.svg`, `.xml`, and `.htm` were not, which he used for browser JavaScript execution. This approach allowed him to leak the macOS username and dynamically generate a `.fileloc` file, leading to the execution of the blocked file.
In an unexpected turn, Masas discovered a simpler method involving Automator, a macOS tool. By executing an Automator application with the Script Editor, he could unzip a `.zip` file onto the user’s file system, circumventing the need for Java installation on the user’s device.
The complete PoC exploit source code for CVE-2023-22524 is available on GitHub, providing a detailed blueprint of this sophisticated security breach.