Introduction to JETTY:
Jetty, as part of the Eclipse Foundation, is a pure Java-based web server and Java Servlet container that supports the latest Java Servlet API and supports WebSocket, SPDY, and HTTP/2 protocols.
1. CVE-2021-28164 [34429] Sensitive information leakage
1. Vulnerability introduction:
In Jetty9.4.37, in order to comply with the specifications in RFC3986 , URIs that may have ambiguous interpretations are selectively supported. The default mode allows URL encoding. Simply look at the regulations of RFC3986 (replacing RFC2396 )
Its general meaning is: .and ..are called dot segments, which are defined for relative references in the path name hierarchy, and they represent the current directory and the parent directory in some operating system file directory structures. But unlike the file system, these dot segments are only interpreted hierarchically in the URI path and are removed as part of the resolution process. That is to say, when parsing the URI path, you need to process .and first ... In order to comply with this processing method, Jetty has caused a series of vulnerabilities. First, CVE-2021-28164 was fixed in version 9.4.39, and then appeared New bypass, which again fixes CVE-2021-34429 in version 9.4.43.
2. Exploitation
1) Exploitation of CVE-2021-28164 vulnerability
-
Accessing the vulnerability environment built by docker (port 8080) is a simple initialization page. Accessing /WEB-INF/web.xml directly will respond with a 404d page.
-
Execute the attack payload to read web.xml. payload:
/%2e/WEB-INF/web.xml
2) CVE-2021-34429 repair bypass
Basic bypass principle:
URIs can be crafted with some encoded characters to access the contents of the WEB-INF directory and/or bypass some security restrictions. The default compliance mode allows requests with URIs containing the %u002e segment to access protected resources in the WEB-INF directory.
For example, /%u002e/WEB-INF/web.xml can retrieve requests for the web.xml file. This could reveal sensitive information about the implementation of the web application. Also, encoded null characters may prevent proper canonicalization, so /.%00/WEB-INF/web.xml also retrieves the web.xml file.
Reproduction process:
-
Visit /WEB-INF/web.xml as usual and respond with 404.
-
Use %u002e to bypass:
-
Bypass with a null character:
2. CVE-2021-28169
1. Vulnerability introduction:
Prior to versions 9.4.40, 10.0.2, and 11.0.2, classes in Jetty Servlets ConcatServlethad WelcomeFiltermultiple decoding problems. If developers actively used these two classes, attackers could use them to access sensitive files in the WEB-INF directory. files, resulting in the leakage of configuration files and codes.
Affected version:
- jetty 9.4.40
- jetty 10.0.2
- jetty 11.0.2
2. Vulnerability recurrence
-
Accessing port 8080 is an initial example page, which is used
ConcatServletto optimize the loading of static files.<link rel="stylesheet" href="/static?/css/base.css&/css/app.css"> -
The normal pass
/static?/WEB-INF/web.xmlcannot access the sensitive file web.xml. -
Double URL-encode the letter "W" to bypass restrictions:
