7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.972 High
EPSS
Percentile
99.8%
Name | CF_directory_traversal |
---|---|
CVE | CVE-2010-2861 Exploit Pack |
VENDOR: http://www.adobe.com | |
Things to consider: | |
1 - A remote file (i-test10-1.cfm) will be left in the webroot as well as the CANVAS callback trojan (CF8AdminXXYY.exe) | |
2 - When creating a ColdFusion Task a time must be specified. For now this is the current time relative to the CANVAS host plus 1 minute. | |
3 - This module assumes that ColdFusion was installed in the default location. |
Notes: This is a multi-step exploit. The steps include:
1 - Exploit the directory traversal to read the configuration file containing the CF admin password hash
2 - Login in with the hash (without knowing the plaintext)
3 - Attempt to discover the web document root (otherwise default to \inetpub\wwwroot)
4 - Create a scheduled task that will download a remote .cfm file
5 - Run the remote .cfm file to execute our CANVAS callback trojan
6 - Enjoy our SYSTEM shell :)
Known Vulnerable Versions: [‘ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX’]
Repeatability: Infinite
References: http://www.adobe.com/support/security/bulletins/apsb10-18.html
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2861
Google Dorks: [‘inurl:/CFIDE/administrator/’]