Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2021-27850

Description

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.

POC

Reference

No PoCs from references.

Github

- https://github.com/20142995/nuclei-templates

- https://github.com/20142995/sectool

- https://github.com/ARPSyndicate/cvemon

- https://github.com/ARPSyndicate/kenzer-templates

- https://github.com/HimmelAward/Goby_POC

- https://github.com/NaInSec/CVE-PoC-in-GitHub

- https://github.com/NyxAzrael/Goby_POC

- https://github.com/Ovi3/CVE_2021_27850_POC

- https://github.com/SYRTI/POC_to_review

- https://github.com/Threekiii/Awesome-POC

- https://github.com/WhooAmii/POC_to_review

- https://github.com/Whoopsunix/PPPVULNS

- https://github.com/Z0fhack/Goby_POC

- https://github.com/dorkerdevil/CVE-2021-27850_POC

- https://github.com/k0mi-tg/CVE-POC

- https://github.com/kahla-sec/CVE-2021-27850_POC

- https://github.com/manas3c/CVE-POC

- https://github.com/n0-traces/cve_monitor

- https://github.com/nomi-sec/PoC-in-GitHub

- https://github.com/novysodope/CVE-2021-27850

- https://github.com/rain3ways/AWS-Security-Engineering

- https://github.com/ranhn/Goby-Poc

- https://github.com/soosmile/POC

- https://github.com/trhacknon/Pocingit

- https://github.com/whoforget/CVE-POC

- https://github.com/youwizard/CVE-POC

- https://github.com/zecool/cve