ColdFusion
Overview
Adobe ColdFusion is a commercial web application development platform created in 1995 which uses the programming language ColdFusion Markup Language (CFML). Indeed, Adobe ColdFusion implements an engine which process the CFML files (.cfm, .cfc).
Adobe ColdFusion can be run on Windows, Linux, Solaris, etc. and IIS, Apache, etc. ColdFusion runs be default as NT AUTHORITY\ SYSTEM on Windows and nobody on Linux.
While Adobe ColdFusion used to have a wider adoption, ColdFusion is used, as of 2019, by approximately 0.5% of all the public websites. Its main use cases remains for intranets and niche web applications development. In 2012 the Google search query inurl:index.cfm returned more than 750 millions results, corresponding to approximately the same number of ColdFusion websites, while in 2019 it only returns around 30 millions results.
As of January 2019, the last Adobe ColdFusion version is ColdFusion 2018.
Basic recon
Version disclosure
The adminapi may be accessible and used to disclose the precise version being used:
The Metasploit module auxiliary/scanner/http/coldfusion_version can be used to retrieve to the ColdFusion version in use:
The module relies on versions, author or copyright information that could be disclosed in a Adobe ColdFusion core page body (/CFIDE/administrator/index.cfm).
The clusterd tool can be used to fingerprint the version as well:
Standard vs Enterprise editions
The standard Adobe ColdFusion edition does not support Javascript.
Requesting a non-existing jsp file (such as /non-existing-randomnumber.jsp) will thus give two different error messages depending on the edition used:
Error HTTP 500 Internal server error will be returned for a standard edition
Error HTTP 404 Not Found will be returned for an enterprise edition
Known vulnerabilities
The CVE Details web page can be consulted for an updated list of the known vulnerabilities discovered on Adobe ColdFusion:
The exploitation process can be automated using clusterd for the vulnerabilities:
CVE-2009-2265
APSB10-18 / CVE-2010-2861
CVE-2013-0632
Pass-the-Hash administrator authentication for Adobe ColdFusion 7 to 9
The most reliable way for attacking older versions of Adobe ColdFusion is to:
extract the administrator password hash using CVE-2010-2861 or CVE-2013-3336
authenticate to the web administrator interface directly using the retrieved hash (Adobe ColdFusion 7 to 9) or after cracking it offline (Refer to the
[General] Passwords crackingnote for password cracking tools and techniques)deploy a
JSPweb / reverse shell using the Task Scheduler functionality. ForJSPweb / reverse shells refer to the[General] Shellsnote.
CVE-2009-2265 - FCKeditor File Upload and Execute
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 can be leveraged to create executable files in arbitrary directories on Adobe ColdFusion 8.0.1.
The Metasploit module exploit/windows/http/coldfusion_fckeditor can be used to exploit the vulnerability:
APSB10-18 / CVE-2010-2861 hash extraction through Local File Inclusion
On Adobe ColdFusion MX6, MX7, 8.0, 8.0.1, 9.0, 9.0.1 with out the APSB10-18 patch, released in August 2010, a local file inclusion vulnerability may be leveraged to retrieve the administrator password SHA1 hash from the password.properties file.
No patches were released for the Adobe ColdFusion MX6 and MX7 as theses versions were end of life support at the time of the vulnerability discovery.
If the local file inclusion could be successfully exploited, the password SHA1 hash will be displayed on the administrative login page. Note that, in some cases, the hash does not need to be cracked as a Pass-the-Hash authentication may be possible depending on the ColdFusion version.
The Metasploit module auxiliary/scanner/http/coldfusion_locale_traversal can be used to automate the process:
CVE-2013-0632 - RDS null password
A vulnerability in the RDS component in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 can be leveraged to bypass authentication. Due to default settings or misconfiguration, its password can be set to an empty value.
The Metasploit module exploit/multi/http/coldfusion_rds can be used to deploy a Metasploit payload through an RDS session:
APSB13-13 / CVE-2013-3336 - hash extraction through directory traversal
A directory traversal vulnerability on Adobe ColdFusion 9 and 10 can be leveraged to extract information such as password, rdspassword, and "encrypted" properties.
The Metasploit module auxiliary/gather/coldfusion_pwd_props can be used to exploit the vulnerability and deploy a Metasploit payload:
APSB17-14 / CVE-2017-3066 - BlazeDS Java Object Deserialization RCE
A java deserialization bug in the Apache BlazeDS component of Adobe ColdFusion 10, 11 and 2016 can lead to remote code execution.
The ColdFusionPwn tool (for Adobe ColdFusion 11 and ColdFusion 2016) as well as the following exploit code can be used to exploit the vulnerability:
APSB18-33 / CVE-2018-15961 - Unrestricted file upload
An unrestricted file upload flaw affecting Adobe ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release)** can be leveraged to upload and execute a web shell.
The default configuration restrict the following file formats cfc, exe, php, asp, cfm and cfml, leaving the possibility of uploading and executing a JSP web shell.
The following curl command can be used to upload the JSP web / reverse shell:
The shell will be uploaded and accessible at the following URL:
For jsp web / reverse shells refer to the [General] Shells note.
The Metasploit module exploit/multi/http/coldfusion_ckeditor_file_upload can be used to automate the process:
Client-side injection - cross-site scripting (XSS)
Multiples cross-site scripting vulnerabilities have been discovered over the year on Adobe ColdFusion, for a total number of 31 discoveries as of January 2019.
Server-side injection - SQL injections (SQLi)
While no publicly known SQL injection are present on the Adobe ColdFusion core, custom CF pages may be vulnerable to SQL injections.
Refer to the [WebApps] SQL injections notes for more information on how to discover and exploit SQL injections flaws.
Pass-the-Hash administrative interface authentication
On Adobe ColdFusion MX6 to 9, the administrator hash can be used to authenticate to the administrative interface (Pass-the-Hash).
Indeed, the login form realize the following operation, hashing the user provided clear text password twice:
The following steps can be used to authenticate using the SHA1 administrator password:
Enter the SHA1 password hash in the password field of the login form
Load the following
JavaScriptcode using the developer console of the browser, a pop up containing the temporary salted second hash should appear.
Catch the login request (using a HTTP proxy such as
Burp Suite) and replace the value of thecfadminPasswordparamter with the salted temporary hashProfit
Data sources information retrieval
An access to the web administrative interface or the operating system file system can be leveraged to retrieve the configured data sources (databases, etc.) information.
For Adobe ColdFusion MX6 to 9, the retrieved passwords can be reversed using the single known hardcoded key.
Administrative interface
If databases are configured to interact with the Adobe ColdFusion service, the databases information and passwords can be retrieved through the administrative interface in the Data & Services -> Data Sources page.
The HTML page source code will contain the encrypted password for the data source reviewed.
XML configuration files
For Adobe ColdFusion MX6 and MX7, the configured data sources information and passwords are stored in neo-query.xml and for ColdFusion 8, 9, 10, 2016 and 2018 in neo-datasource.xml.
The configuration files will contain all the data sources encrypted password in XML tags such as:
Decrypt data sources passwords
On Adobe ColdFusion MX6 to 9, the passwords for the data sources are encrypted with the 3DES algorithm using the hardcoded key 0yJ!@1$r8p0L@r1$6yJ!@1rj and encoded in base64. The passwords can thus be decrypted using openssl (provided by Szili Dávid):
Starting with Adobe ColdFusion 10 and 11, the key is randomly generated at runtime, making it impossible to reverse the passwords in neo-datasource.xml with the hardcoded key.
Administrative interface to RCE
The Adobe ColdFusion administrative interface allows for download and execution of scripts and binaries through scheduled tasks, effectively permitting system commands execution.
As specified above clustered can be used to automatically deploy a JSP executable through the Task Scheduler functionality:
To process to manually setup a scheduled task that will execute the specified binary is as follow:
Create a web / reverse shell executable in
cfm,jsporexe/elf(Refer to the[General] shellsnote)
a. Launch a webserver exposing the created reverse shell
(Refer to the [General] File transfer note)
b. If needed, setup a listener for the reverse shell connection
Retrieve the system time in the Server Settings > Settings Summary
Create a scheduled task in and specify the URL
Once the task has been executed, access the upload file at
/CFIDE/<FILENAME>
References
http://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf https://jumpespjump.blogspot.com/2014/03/attacking-adobe-coldfusion.html http://www.pwnag3.com/2013/04/coldfusion-for-pentesters-part-2.html https://waycool.tech/coldfusion-data-source-decryption/
Last updated