Lomtec ActiveWeb Professional 3.0 CMS Shell Upload / SYSTEM Execution

`-------------------------------------------------------------------------------------  
www.ExploitDevelopment.com 2010-WEB-002  
(CERT VU#870532) (Security Focus BID 45985)  
-------------------------------------------------------------------------------------  
  
TITLE:  
Lomtec ActiveWeb Professional 3.0 CMS Allows Arbitrary File Upload and  
Execution as SYSTEM in ColdFusion  
  
SUMMARY AND IMPACT:  
The ActiveWeb Professional 3.0 web content management server is  
vulnerable to remote operating system takeover. An unauthenticated  
remote user can upload malicious files and backdoor ColdFusion  
websites using the EasyEdit.cfm page. By accessing the "getImagefile"  
section of the EasyEdit module, the remote attacker can change hidden  
form fields to upload malicious applications and ColdFusion CFML  
websites that execute those malicious applications or operating system  
commands in the context of the ColdFusion service account (SYSTEM).  
The remote user can now perform all functions of the system  
administrator using uploaded CFML pages. The attacker can create a  
SYSTEM level shell connection back to the attacker's computer, add  
local administrator accounts, gather information about the victim  
company's network or set up a sniffer to capture passwords. Other  
pages on the ActiveWeb Professional CMS allow unauthenticated users to  
perform directory listings of the entire Microsoft Windows operating  
system.  
  
DETAILS:  
Use the following steps to exploit this vulnerability.  
  
Step 1: Access the ActiveWeb Get Image File Module.  
http://VICTIMIP/activeweb/EasyEdit.cfm?module=EasyEdit&page=getimagefile&Filter=  
Step 2: Using Mozilla FireFox with the Web Developer Toolbar, change  
the UploadDirectory hidden form field to C:\. Change the Accepted  
Extensions hidden form field to exe. Now you can upload the malicious  
application (Example would be Netcat.exe).  
Step 3: Using Mozilla FireFox with the Web Developer Toolbar, change  
the UploadDirectory hidden form field to  
c:\activeweb\activeweb\wwwroot\. Change the Accepted Extensions hidden  
form field to cfml. Upload your backdoor NetCat.cfml ColdFusion page  
that calls CFEXECUTE to run the malicious application.  
Step 4: Using Netcat.exe on the attacker's machine, listen for the  
VICTIM server's remote shell.  
Step 5: Using Mozilla FireFox, access the newly uploaded NetCat.cfml  
backdoor page via http://VICTIMIP/activeweb/NetCat.cfml.  
Step 6: You will now get a remote shell on your NetCat listener  
running as the ColdFusion service account (Default is SYSTEM on  
Microsoft Windows).  
  
VULNERABLE PRODUCTS:  
Lomtec ActiveWeb Professional 3.0  
  
REFERENCES AND ADDITIONAL INFORMATION:  
N/A  
  
CREDITS:  
StenoPlasma (at) ExploitDevelopment.com  
  
TIMELINE:  
Discovery: December 16, 2008  
Vendor Notified: May 6, 2010 (No response from vendor)  
Vendor Notified Attempt 2: May 10, 2010 (No response from vendor)  
Vendor Notified Attempt 3: May 19, 2010 (No response from vendor)  
Vendor Fixed: N/A  
Vendor Notified of Disclosure: N/A  
Disclosure to CERT: December 2, 2010  
CERT Published: January 25, 2011  
  
VENDOR URL:  
http://www.lomtec.com  
  
ADVISORY URL:  
http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-002.html  
http://www.kb.cert.org/vuls/id/528212  
http://www.securityfocus.com/bid/45985/info  
  
VENDOR ADVISORY URL:  
N/A  
  
-----------------------------------------------------  
StenoPlasma at ExploitDevelopment.com  
www.ExploitDevelopment.com  
-----------------------------------------------------  
`