Skip to content

A Proof of concept for CVE-2021-27850 affecting Apache Tapestry and leading to unauthencticated remote code execution.

Notifications You must be signed in to change notification settings

kahla-sec/CVE-2021-27850_POC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2021-27850 Exploit

Overview

CVE-2021-27850 is a critical unauthenticated remote code execution vulnerability that was found in all recent versions of Apache Tapestry, by downloading the AppModule.class file we can leak the HMAC Secret key used to sign all the serialized objects in apache Tapestry.

We encountered this CVE in a real life assessment and as far as I know there are no public exploits available on how Tapestry signs the serialized objects so we decided to publish the following POC that we have used after digging in apache Tapestry source code for a long time x) .

Usage

1- Clone this repo

2- Run the following command

javac -classpath commons-codec-1.15/commons-codec-1.15.jar:. Exploit.java

3- Finally run the following:

java -cp commons-codec-1.15/commons-codec-1.15.jar:. Exploit [Tapestry Key] [Ysoserial Payload] [Command To Execute]

Where [Tapestry Key] is the Hmac key leaked from the AppModule.class , [Ysoserial Payload] is the payload you want to use from ysoserial and [Command To Execute] the command you want to execute.

IMG

Note: Unlike the usual Java deserialization exploits where the commands you run are limited ( no pipes or special chars .. ) you can use here any complex command you want since we are appending the following before executing the command sh -c $@|sh . echo .

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27850

https://github.com/apache/tapestry-5

About

A Proof of concept for CVE-2021-27850 affecting Apache Tapestry and leading to unauthencticated remote code execution.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages