Dailydave mailing list archives
ColdFusion Directory Traversal
From: Mark Wuergler <mark () immunityinc com>
Date: Thu, 02 Sep 2010 17:20:00 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Immunity's CANVAS has a working exploit for the ColdFusion directory traversal vulnerability that returns a shell on all vulnerable versions (7, 8, and 9.0.0 were tested) on all platforms ColdFusion installs on (Win32, Linux, and Mac OS X). You can see a video of it in action here: http://partners.immunityinc.com/movies/Lightning_Demo_CF01.mp4 The ProCheckUp advisory (http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07) states "ColdFusion 9 provides an additional layer of filtering to prevent common attacks, preventing the below attack from working" and that it is still recommended to apply patches because it was found that "the filtering can be bypassed". When I set out to write the exploit I wanted to take a closer look at the filtering and how it could be bypassed so that the exploit would work on all vulnerable versions. I created a simple ColdFusion script that was vulnerable to local file inclusion and directory traversal: <cfinclude template = "#name#"> Assuming that the filters would detect these [common] attacks I attempted to traverse into other directories by issuing the following request: http://localhost/trav_test.cfm?name=../../../../../../boot.ini And the contents of boot.ini was displayed in my browser. It appears that Global Script Protection is disabled by default in the versions that I had available to me so I enabled it and restarted the ColdFusion service but the vulnerable script still displayed the contents of the request file (this was tested in versions 9,0,0,241018 and 9,0,0,251028 and the latest update of 9,0,1,274733). It seems the global script protection is only for XSS and just uses a regular expression to replace potentially malicious tags with "<InvalidTag". The regular expression can be found in lib/neo-security.xml: <var name="CrossSiteScriptPatterns"> <struct type="coldfusion.server.ConfigMap"> <var name="<\s*(object|embed|script|applet|meta)"> <string><InvalidTag</string> There did not appear to be any "additional layer of filtering" taking place that would prevent this attack from succeeding. And there is no additional layer of filtering that applies to requests made to *your* [potentially vulnerable] ColdFusion code. A ColdFusion sandbox is not enabled by default but would prevent the attack from succeeding but I don't think this is the protection they were talking about (when my vulnerable test script is run in a sandbox it produces a security violation "The requested template has been denied access to C:\boot.ini."). All versions tested (7, 8 and 9.0.0) were attacked in the same way with nothing to bypass. I haven't got my hands on a vulnerable version of 9 Update 1 (9.0.1) to test with yet but maybe the advisory was referring to this version? Although the official release notes (http://kb2.adobe.com/cps/847/cpsid_84725.html) only document security changes related to session management and password storage. In any case, version 9.0.0 is clearly exploitable. - -Mark Wuergler Immunity, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyAFP4ACgkQorg+tja2+6AQGgCffGrrOFOgoP1pAqtFQlCmSr2u akMAoK6tiTVEyHipy5fOc2dAYBOJ1ubu =Q3f/ -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- ColdFusion Directory Traversal Mark Wuergler (Sep 03)