Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
1000
VMScore

CVE-2021-27850

Published: 15/04/2021 Updated: 02/06/2021
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache tapestry

Exploits

Exploit DB: Apache Tapestry HMAC secret key leak
This exploit finds the HMAC secret key used in Java serialization by Apache Tapestry This key is located in the file AppModuleclass by default and looks like the standard representation of UUID in hex digits (hd) : 6hd-4hd-4hd-4hd-12hd If the HMAC key has been changed to look differently, this module won't find the k ...

Mailing Lists

Full Disclosure: CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195
Description: A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry The affected versions include 545, 550, 562 and 570 The vulnerability I have found is a bypass of the fix for CVE-2019-0195 Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class ...

Metasploit Modules

Apache Tapestry HMAC secret key leak

This exploit finds the HMAC secret key used in Java serialization by Apache Tapestry. This key is located in the file AppModule.class by default and looks like the standard representation of UUID in hex digits (hd) : 6hd-4hd-4hd-4hd-12hd If the HMAC key has been changed to look differently, this module won't find the key because it tries to download the file and then uses a specific regex to find the key.

msf > use auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key
msf auxiliary(cve_2021_27850_apache_tapestry_hmac_key) > show actions
    ...actions...
msf auxiliary(cve_2021_27850_apache_tapestry_hmac_key) > set ACTION < action-name >
msf auxiliary(cve_2021_27850_apache_tapestry_hmac_key) > show options
    ...show and set options...
msf auxiliary(cve_2021_27850_apache_tapestry_hmac_key) > run

Github Repositories

https://github.com/kahla-sec/CVE-2021-27850_POC

A Proof of concept for CVE-2021-27850 affecting Apache Tapestry and leading to unauthencticated remote code execution.

CVE-2021-27850 Exploit Overview CVE-2021-27850 is a critical unauthenticated remote code execution vulnerability that was found in all recent versions of Apache Tapestry, by downloading the AppModuleclass file we can leak the HMAC Secret key used to sign all the serialized objects in apache Tapestry We encountered this CVE in a real life assessment and as far as I know there

https://github.com/novysodope/CVE-2021-27850

CVE-2021-27850 ysoserial

CVE-2021-27850 CVE-2021-27850 ysoserial novysodopegithubio/2022/05/31/81/

https://github.com/Ovi3/CVE_2021_27850_POC

Apache Tapestry CVE-2021-27850 PoC

命令使用 git clone githubcom/Ovi3/CVE_2021_27850_POCgit cd CVE_2021_27850_POC/ gradlew runnbaleJar java -jar /build/libs/CVE_2021_27850_POC-10-SNAPSHOTjar [Usage]: java TapestryExploit [Tapestry Key] DNS [URL] java TapestryExploit [Tapestry Key] CB2 [Command] # 假设 hmac key为 change this immediately java -jar /build/libs/CVE_2021_27850_P

References

CWE-502https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3Ehttp://www.openwall.com/lists/oss-security/2021/04/15/1https://security.netapp.com/advisory/ntap-20210528-0002/https://nvd.nist.govhttps://github.com/kahla-sec/CVE-2021-27850_POChttp://seclists.org/oss-sec/2021/q2/23
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
type confusionCVE-2023-38506CVE-2024-37198CVE-2023-45197CVE-2024-38621CVE-2024-30103elevation of privilegeCVE-2024-0044IMAP
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook