LinkedInExploit ADHackTheBox

ColdFusion

Introduction

  • ColdFusion is a programming language and a web application development platform based on Java.

  • ColdFusion was initially developed by the Allaire Corporation in 1995 and was acquired by Macromedia in 2001. Macromedia was later acquired by Adobe Systems, which now owns and develops ColdFusion.

  • It is used to build dynamic and interactive web applications that can be connected to various APIs and databases such as MySQL, Oracle, and Microsoft SQL Server.

  • ColdFusion Markup Language (CFML) is the proprietary programming language used in ColdFusion to develop dynamic web applications.

Its tag-based approach simplifies application development by reducing the amount of code needed to accomplish complex tasks. For instance, the cfquery tag can execute SQL statements to retrieve data from a database:

<cfquery name="myQuery" datasource="myDataSource">
  SELECT *
  FROM myTable
</cfquery>

Developers can then use the cfloop tag to iterate through the records retrieved from the database:

<cfloop query="myQuery">
  <p>#myQuery.firstName# #myQuery.lastName#</p>
</cfloop>

Some of the primary purposes and benefits of ColdFusion include:

Benefits

Description

Developing data-driven web applications

ColdFusion allows developers to build rich, responsive web applications easily. It offers session management, form handling, debugging, and more features. ColdFusion allows you to leverage your existing knowledge of the language and combines it with advanced features to help you build robust web applications quickly.

Integrating with databases

ColdFusion easily integrates with databases such as Oracle, SQL Server, and MySQL. ColdFusion provides advanced database connectivity and is designed to make it easy to retrieve, manipulate, and view data from a database and the web.

Simplifying web content management

One of the primary goals of ColdFusion is to streamline web content management. The platform offers dynamic HTML generation and simplifies form creation, URL rewriting, file uploading, and handling of large forms. Furthermore, ColdFusion also supports AJAX by automatically handling the serialisation and deserialisation of AJAX-enabled components.

Performance

ColdFusion is designed to be highly performant and is optimised for low latency and high throughput. It can handle a large number of simultaneous requests while maintaining a high level of performance.

Collaboration

ColdFusion offers features that allow developers to work together on projects in real-time. This includes code sharing, debugging, version control, and more. This allows for faster and more efficient development, reduced time-to-market and quicker delivery of projects.

ColdFusion has historically been vulnerable to various types of attacks, such as SQL injection, XSS, directory traversal, authentication bypass, and arbitrary file uploads. To improve the security of ColdFusion, developers must implement secure coding practices, input validation checks, and properly configure web servers and firewalls. Here are a few known vulnerabilities of ColdFusion:

  1. CVE-2021-21087: Arbitrary disallow of uploading JSP source code

  2. CVE-2020-24453: Active Directory integration misconfiguration

  3. CVE-2020-24450: Command injection vulnerability

  4. CVE-2020-24449: Arbitrary file reading vulnerability

  5. CVE-2019-15909: Cross-Site Scripting (XSS) Vulnerability

ColdFusion exposes a fair few ports by default:

Port Number
Protocol
Description

80

HTTP

Used for non-secure HTTP communication between the web server and web browser.

443

HTTPS

Used for secure HTTP communication between the web server and web browser. Encrypts the communication between the web server and web browser.

1935

RPC

Used for client-server communication. Remote Procedure Call (RPC) protocol allows a program to request information from another program on a different network device.

25

SMTP

Simple Mail Transfer Protocol (SMTP) is used for sending email messages.

8500

SSL

Used for server communication via Secure Socket Layer (SSL).

5500

Server Monitor

Used for remote administration of the ColdFusion server.

Footprinting/Enumeration

During a penetration testing enumeration, several ways exist to identify whether a web application uses ColdFusion. Here are some methods that can be used:

Method

Description

Port Scanning

ColdFusion typically uses port 80 for HTTP and port 443 for HTTPS by default. So, scanning for these ports may indicate the presence of a ColdFusion server. Nmap might be able to identify ColdFusion during a services scan specifically.

File Extensions

ColdFusion pages typically use ".cfm" or ".cfc" file extensions. If you find pages with these file extensions, it could be an indicator that the application is using ColdFusion.

HTTP Headers

Check the HTTP response headers of the web application. ColdFusion typically sets specific headers, such as "Server: ColdFusion" or "X-Powered-By: ColdFusion", that can help identify the technology being used.

Error Messages

If the application uses ColdFusion and there are errors, the error messages may contain references to ColdFusion-specific tags or functions.

Default Files

ColdFusion creates several default files during installation, such as "admin.cfm" or "CFIDE/administrator/index.cfm". Finding these files on the web server may indicate that the web application runs on ColdFusion.

The port scan results show three open ports. Two Windows RPC services, and one running on 8500. As we know, 8500 is a default port that ColdFusion uses for SSL. Navigating to the IP:8500 lists 2 directories, CFIDE and cfdocs, in the root, further indicating that ColdFusion is running on port 8500.

Atacking Coldfusion

As we know, the version of ColdFusion running is ColdFusion 8, and there are two results of interest. The Adobe ColdFusion - Directory Traversal and the Adobe ColdFusion 8 - Remote Command Execution (RCE) results.

Directory Traversal

These ColdFusion files are vulnerable to a directory traversal attack in Adobe ColdFusion 9.0.1 and earlier versions.

The attack can be executed by manipulating the input parameters in ColdFusion tags such as CFFile and CFDIRECTORY, which are used for file and directory operations such as uploading, downloading, and listing files.

In this code snippet, the ColdFusion cfdirectory tag lists the contents of the uploads directory, and the cfloop tag is used to loop through the query results and display the filenames as clickable links in HTML.

However, the directory parameter is not validated correctly, which makes the application vulnerable to a Path Traversal attack. An attacker can exploit this vulnerability by manipulating the directory parameter to access files outside the uploads directory.

CVE-2010-2861 is the Adobe ColdFusion - Directory Traversal exploit discovered by searchsploit. It is a vulnerability in ColdFusion that allows attackers to conduct path traversal attacks.

  • CFIDE/administrator/settings/mappings.cfm

  • logging/settings.cfm

  • datasources/index.cfm

  • j2eepackaging/editarchive.cfm

  • CFIDE/administrator/enter.cfm

Remote attackers can exploit this vulnerability to read arbitrary files by manipulating the locale parameter in these specific ColdFusion files.

With this vulnerability, attackers can access files outside the intended directory by including ../ sequences in the file parameter. For example, consider the following URL:

Searchsploit Exploitation

The password.properties file in ColdFusion is a configuration file that securely stores encrypted passwords for various services and resources the ColdFusion server uses. It contains a list of key-value pairs, where the key represents the resource name and the value is the encrypted password. These encrypted passwords are used for services like database connections, mail servers, LDAP servers, and other resources that require authentication. By storing encrypted passwords in this file, ColdFusion can automatically retrieve and use them to authenticate with the respective services without requiring the manual entry of passwords each time. The file is usually in the [cf_root]/lib directory and can be managed through the ColdFusion Administrator.

Unauthenticated RCE

In the above code, the cmd variable is created by concatenating the cgi.query_string variable with a command to be executed. This command is then executed using the cfexecute function, which runs the Windows cmd.exe program with the specified arguments. This code is vulnerable to an unauthenticated RCE attack because it does not properly validate the cmd variable before executing it, nor does it require the user to be authenticated. An attacker could simply pass a malicious command as the cgi.query_string variable, and it would be executed by the server.

An example of a ColdFusion Unauthenticated RCE attack is the CVE-2009-2265 vulnerability that affected Adobe ColdFusion versions 8.0.1 and earlier. This exploit allowed unauthenticated users to upload files and gain remote code execution on the target host. The vulnerability exists in the FCKeditor package, and is accessible on the following path:

CVE-2009-2265 is the vulnerability identified by our earlier searchsploit search as Adobe ColdFusion 8 - Remote Command Execution (RCE). Pull it into a working directory.

Editing the exploit

This will return an interactive reverse shell.

PreviousMiscellaneous ApplicationsNextIIS Tilde(~) Vulnerability

Last updated