module
Apache Tapestry HMAC secret key leak
| Disclosed | Created |
|---|---|
| 04/15/2021 | 07/23/2021 |
Disclosed
04/15/2021
Created
07/23/2021
Description
This exploit finds the HMAC secret key used in Java serialization by Apache Tapestry. This key
is located in the file AppModule.class by default and looks like the standard representation of UUID in hex digits (hd) :
6hd-4hd-4hd-4hd-12hd
If the HMAC key has been changed to look differently, this module won't find the key because it tries to download the file
and then uses a specific regex to find the key.
is located in the file AppModule.class by default and looks like the standard representation of UUID in hex digits (hd) :
6hd-4hd-4hd-4hd-12hd
If the HMAC key has been changed to look differently, this module won't find the key because it tries to download the file
and then uses a specific regex to find the key.
Authors
Johannes MoritzYann Castel (yann.castel
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key
msf /(y) > show actions
...actions...
msf /(y) > set ACTION < action-name >
msf /(y) > show options
...show and set options...
msf /(y) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.