Full Report
Recently, some researchers found a vulnerability within Atlassian Companion App. The issue was that the program has a blocklist of file types of about 350. The author of the original post found that .class files were not in the blocklist, giving them RCE. Why the blocklist? Atlassian does not add the quarantine attribute to files downloaded because it would make the user experience worse. However, a blocklist is commonly a bad idea, as an attacker just needs to find one file type that works. The file type .fileloc is similar to a symbolic link but acts as a shortcut on macOS but it accepts a full path to another file on the system. Since this was not a blocked file type, this was a good candidate for exploitation. While reverse engineering the application, they noticed that files in the blocklist were still downloaded but inaccessible. Weird! The name of this directory was random and they needed the macOS username as well. So, they found a websocket API that would return the folder UUID and another to retain the username in an error message. With all of this, we have a full chain. Make a websocket API call to leak the UUID. Make a websocket call to leak the macOS username. Download a malicious file that should be blocked. It will be stored on the system but we now know the path. Download the .fileloc file, which points to the absolute path of the malicious file above. Pop a shell!
Analysis Summary
# Vulnerability: RCE in Atlassian Companion for macOS via File Extension Bypass and Symlink-like Shortcut
## CVE Details
- CVE ID: CVE-2023-22524
- CVSS Score: Information not explicitly provided in the text, but the vulnerability leads to RCE, suggesting a **High** severity score.
- CWE: CWE-20 (Improper Input Validation) or CWE-434 (Unrestricted Upload of File with Dangerous Type) related aspects are implied by the blocklist bypass.
## Affected Systems
- Products: Atlassian Companion for macOS
- Versions: All versions prior to 2.0.0 (as 2.0.0 or later is the patched version).
- Configurations: macOS users running Atlassian Companion.
## Vulnerability Description
The vulnerability stems from an incomplete file extension blocklist within the Atlassian Companion application for macOS. This blocklist, intended to prevent execution of dangerous file types, failed to include specific file extensions that could lead to Remote Code Execution (RCE).
The flaw allows an attacker to leverage file types that allow referencing absolute paths, specifically the macOS `.fileloc` file type (which acts as a shortcut pointing to another file). The complete exploit chain involves:
1. **Information Disclosure:** Utilizing two separate WebSocket API calls (on port 31459) to leak the application’s randomized download directory UUID and the local macOS username needed to construct the full path.
2. **Bypassing Protections:** Downloading a malicious file (e.g., a Java `.class` file, which was mistakenly omitted from the blocklist in the initial state, leading to the discovery) even though files on the blocklist are downloaded but rendered inaccessible until the path is known.
3. **Path Dereferencing:** Downloading a malicious `.fileloc` file that points to the absolute path of the previously downloaded malicious file.
4. **Execution:** Since the application bypasses macOS Gatekeeper (by omitting the quarantine attribute), dereferencing the `.fileloc` file leads to RCE.
## Exploitation
- Status: PoC available (The article describes the successful exploitation chain found by researchers based on a prior RCE discovery).
- Complexity: Medium (Requires information disclosure via WebSockets, reverse engineering of file paths, and crafting specific files).
- Attack Vector: Local access inferred if the user interacts with a malicious site, making it potentially triggerable remotely via user action (e.g., clicking "Edit" on a malicious Confluence page).
## Impact
- Confidentiality: **High** (If attackers can execute arbitrary code, they can read sensitive system files).
- Integrity: **High** (Arbitrary code execution allows modification or deletion of system/user data).
- Availability: **High** (RCE can lead to denial of service or system compromise).
## Remediation
### Patches
- Upgrade to Atlassian Companion **version 2.0.0 or later**.
- *Note: While the source article mentions a previous fix addressing `.class` files, the described chained exploit utilizing `.fileloc` is resolved in releases following the discovery.*
### Workarounds
- No explicit workarounds are detailed in the provided context other than upgrading. Users relying on the application should ensure it does not automatically process files from untrusted sources until patched.
## Detection
- **Indicators of Compromise (IoCs):**
- WebSocket connections originating from the Atlassian Companion application (listening on port 31459) making unusual API calls to leak UUIDs or usernames.
- Creation of `.fileloc` files pointing to executable or script content within the Companion download directory structure.
- **Detection Methods and Tools:**
- Monitoring outbound network traffic from the Atlassian Companion process for unusual WebSocket communication patterns.
- File integrity monitoring on directories used by the Companion app for temporary file storage.
## References
- Vendor Advisory (Specific link provided in text): [https://confluence.atlassian.com/security/cve-2023-22524-rce-vulnerability-in-atlassian-companion-app-for-macos-1319249492.html](https://confluence.atlassian.com/security/cve-2023-22524-rce-vulnerability-in-atlassian-companion-app-for-macos-1319249492.html)
- Research Blog (Initial context): hxxps://wojciechregula.blog/post/macos-atlassian-companion-rce/
- Fix Version Reference: hxxps://confluence.atlassian.com/doc/install-atlassian-companion-992678880.html