Immunity Canvas: FCKEDITOR

ColdFusion/IIS: To exploit this successfully you have to win a race condition - this exploit module dramatically increases your odds of getting a shell (in fact it doesn’t stop until it does or you stop it). Due to the nature of the exploit you may get more than 1 shell to appear (because we can win the race again before the module
has a chance to stop trying). We first send a ColdFusion module up to the server that, when executed, will dump a MOSDEF trojan onto the webserver in the format of CFAdminYYZZ.exe.

This MOSDEF shell will be running as user SYSTEM. The default behavior of this exploit is to attack ColdFusion on IIS.

Apache: There are many applications that use FCKEditor and the attack vector varies as a result. This module attempts a combination of many known attack vectors but can be ‘noisy’

In the ‘autoversion’ mode it will attempt to find vulnerable installations of a few known applications that are known to be vulnerable.
In the ‘custom’ mode you can supply a path to your own connector believed to be vulnerable and CANVAS will attempt a variety of combinations
to get a shell uploaded and executed.

Be mindful to supply the correct basepath so CANVAS can build the URLs correctly!

Due to the race condition the generated CFAdminYYZZ.cfm file may not be deleted from the /UserFiles/File folder. You may have to do this manually
Repeatability: Infinite
References: [‘http://www.adobe.com/support/security/bulletins/apsb09-09.html (ColdFusion)’]
Date public: 7/8/2009
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265
Google Dorks: [‘inurl:cfm/cf5_connector.cfm’, ‘inurl:cfm/cf5_upload.cfm’, ‘inurl:php/connector.php’]
CVSS: 7.5