Adobe ColdFusion 10 WebSockets CFC Public Method Invocation (APSB13-19) (credentialed check)

2013-07-14T00:00:00
ID COLDFUSION_WIN_CVE-2013-3350.NASL
Type nessus
Reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
Modified 2020-08-02T00:00:00

Description

The remote Windows host is running a version of ColdFusion that allows an unauthenticated, remote attacker to execute unauthorized methods. ColdFusion component methods that use the

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(68881);
  script_version("1.7");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2013-3350");
  script_bugtraq_id(61042);

  script_name(english:"Adobe ColdFusion 10 WebSockets CFC Public Method Invocation (APSB13-19) (credentialed check)");
  script_summary(english:"Checks CHF level");

  script_set_attribute(
    attribute:"synopsis",
    value:
"A web-based application running on the remote Windows host is affected
by multiple vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Windows host is running a version of ColdFusion that allows
an unauthenticated, remote attacker to execute unauthorized methods.
ColdFusion component methods that use the 'public' modifier can be
invoked remotely using WebSockets. Only methods that use the 'remote'
modifier should be capable of being invoked in this manner. An
unauthenticated, remote attacker can exploit this to execute arbitrary
code.");
  # https://stackoverflow.com/questions/17351214/cf10-websocket-p2p-can-invoke-any-public-functions-in-any-cfc-from-javascript-h
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9dd44c4b");
  # http://cfmlblog.adamcameron.me/2013/06/web-socket-security-issue-risk.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ee7fe027");
  # https://coldfusion.adobe.com/2013/07/coldfusion-10-websocket-vulnerebility/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0c99480e");
  script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb13-19.html");
  # https://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-19.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d13b5431");
  script_set_attribute(attribute:"solution", value:"Upgrade to ColdFusion 10 Update 11 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/27");  # post on stackoverflow
  script_set_attribute(attribute:"patch_publication_date", value:"2013/07/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/14");

  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:adobe:coldfusion:10.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("coldfusion_win_local_detect.nasl");
  script_require_keys("SMB/coldfusion/instance");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("coldfusion_win.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");

versions = make_list('10.0.0');
instances = get_coldfusion_instances(versions); # this exits if it fails

# Check the hotfixes and cumulative hotfixes installed for each
# instance of ColdFusion.
instance_info = make_list();

foreach name (keys(instances))
{
  info = NULL;
  ver = instances[name];
  info = check_jar_chf(name, 11);

  if (!isnull(info))
    instance_info = make_list(instance_info, info);
}


if (max_index(instance_info) == 0)
  exit(0, "No vulnerable instances of Adobe ColdFusion were detected.");

port = kb_smb_transport();

if (report_verbosity > 0)
{
  report =
    '\nNessus detected the following unpatched instances :' +
    '\n' + join(instance_info, sep:'\n') +
    '\n';
  security_hole(port:port, extra:report);
}
else security_hole(port);