Immunity Canvas: CF_DIRECTORY_TRAVERSAL

2010-08-1118:47:00

Immunity Canvas

exploitlist.immunityinc.com

146

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.972 High

EPSS

Percentile

99.8%

JSON

Name	CF_directory_traversal
CVE	CVE-2010-2861 Exploit Pack
VENDOR: http://www.adobe.com
Things to consider:
1 - A remote file (i-test10-1.cfm) will be left in the webroot as well as the CANVAS callback trojan (CF8AdminXXYY.exe)
2 - When creating a ColdFusion Task a time must be specified. For now this is the current time relative to the CANVAS host plus 1 minute.
3 - This module assumes that ColdFusion was installed in the default location.

Notes: This is a multi-step exploit. The steps include:
1 - Exploit the directory traversal to read the configuration file containing the CF admin password hash
2 - Login in with the hash (without knowing the plaintext)
3 - Attempt to discover the web document root (otherwise default to \inetpub\wwwroot)
4 - Create a scheduled task that will download a remote .cfm file
5 - Run the remote .cfm file to execute our CANVAS callback trojan
6 - Enjoy our SYSTEM shell :)

Known Vulnerable Versions: [‘ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX’]
Repeatability: Infinite
References: http://www.adobe.com/support/security/bulletins/apsb10-18.html
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2861
Google Dorks: [‘inurl:/CFIDE/administrator/’]