ColdFusion Directory Traversal

[Mark Wuergler <mark () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Immunity's CANVAS has a working exploit for the ColdFusion directory
traversal vulnerability that returns a shell on all vulnerable
versions (7, 8, and 9.0.0 were tested) on all platforms ColdFusion
installs on (Win32, Linux, and Mac OS X). You can see a video of it in
action here:

http://partners.immunityinc.com/movies/Lightning_Demo_CF01.mp4

The ProCheckUp advisory
(http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07)
states "ColdFusion 9 provides an additional layer of filtering to
prevent common attacks, preventing the below attack from working" and
that it is still recommended to apply patches because it was found
that "the filtering can be bypassed".  When I set out to write the
exploit I wanted to take a closer look at the filtering and how it
could be bypassed so that the exploit would work on all vulnerable
versions.  I created a simple ColdFusion script that was vulnerable to
local file inclusion and directory traversal:

<cfinclude template = "#name#">

Assuming that the filters would detect these [common] attacks I
attempted to traverse into other directories by issuing the following
request:

http://localhost/trav_test.cfm?name=../../../../../../boot.ini

And the contents of boot.ini was displayed in my browser.

It appears that Global Script Protection is disabled by default in the
versions that I had available to me so I enabled it and restarted the
ColdFusion service but the vulnerable script still displayed the
contents of the request file (this was tested in versions 9,0,0,241018
and 9,0,0,251028 and the latest update of 9,0,1,274733).  It seems the
global script protection is only for XSS and just uses a regular
expression to replace potentially malicious tags with "<InvalidTag".
The regular expression can be found in lib/neo-security.xml:

<var name="CrossSiteScriptPatterns">
   <struct type="coldfusion.server.ConfigMap">
      <var name="<\s*(object|embed|script|applet|meta)">
         <string><InvalidTag</string>

There did not appear to be any "additional layer of filtering" taking
place that would prevent this attack from succeeding.  And there is no
additional layer of filtering that applies to requests made to *your*
[potentially vulnerable] ColdFusion code.  A ColdFusion sandbox is not
enabled by default but would prevent the attack from succeeding but I
don't think this is the protection they were talking about (when my
vulnerable test script is run in a sandbox it produces a security
violation "The requested template has been denied access to
C:\boot.ini.").

All versions tested (7, 8 and 9.0.0) were attacked in the same way
with nothing to bypass.  I haven't got my hands on a vulnerable
version of 9 Update 1 (9.0.1) to test with yet but maybe the advisory
was referring to this version?  Although the official release notes
(http://kb2.adobe.com/cps/847/cpsid_84725.html) only document security
changes related to session management and password storage.

In any case, version 9.0.0 is clearly exploitable.

- -Mark Wuergler
Immunity, Inc.







 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyAFP4ACgkQorg+tja2+6AQGgCffGrrOFOgoP1pAqtFQlCmSr2u
akMAoK6tiTVEyHipy5fOc2dAYBOJ1ubu
=Q3f/
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave