exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Coldfusion / JNBridge Remote Code Execution

Coldfusion / JNBridge Remote Code Execution
Posted Jun 26, 2019
Authored by Moritz Bechler | Site syss.de

Coldfusion versions 2016 and 2018 along with all current versions of JNBridge suffer from a remote code execution vulnerability.

tags | advisory, remote, code execution
advisories | CVE-2019-7839
SHA-256 | f87b353777ae773d0c72b225ac02ae458075bc752b4b21bb6aaa070c2db3e58d

Coldfusion / JNBridge Remote Code Execution

Change Mirror Download
Advisory ID: SYSS-2019-006
Product: Coldfusion/JNBridge
Manufacturer: Adobe/JNBridge LLC
Affected Version(s): Coldfusion 2016,2018, JNBridge all versions
Tested Version(s): 2018
Vulnerability Type: Remote Code Execution
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2019-03-27
Solution Date: 2019-06-11
Public Disclosure: 2019-06-24
CVE Reference: CVE-2019-7839
Author of Advisory: Moritz Bechler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

JNBridge is a technology for integrating Java and .NET application code.

The manufacturer describes the product as follows (see [1]):

"Access Java classes from .NET as if Java were a .NET language
(C#, VB, etc). Access .NET classes (written in C#, VB, F#, etc.)
from Java as if they were Java classes. Access objects and libraries
across the platform boundary."

"Create objects, call methods, access fields, return objects."

As stated, this technology, more or less by design, allows unrestricted
access to a remote Java Runtime Environment, thereby allowing the execution
of arbitrary code and system commands.

Adobe Coldfusion is a web application development platform.

Coldfusion servers running on Windows publicly expose an JNBridge
network listener on TCP port 6093 or 6095.

An attacker that is able to reach that service can execute arbitrary
Java code or system commands. By default this services is running with
highest privileges (SYSTEM).


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Analysis of the JNBridge protocol reveals that it directly exposes
basic operations like:
* creating Java objects using arbitrary constructors
* calling methods on these objects
* getting/setting fields of these objects
* calling static methods

Combined, these primitives essentially expose all of the Java runtime
environment's available code/methods. For example the sequence

1. objectStaticCall java.lang.Runtime:getRuntime
-> handle to java.lang.Runtime instance
2. objectVirtualCall handle->exec("command")
-> handle to Process

can be used to invoke arbitrary system commands.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The necessary parts of the protocol to invoke the Runtime.exec() method
like described above were implemented. That code remains unreleased at
this time.

The PoC also reads and shows the command output. Running it against
a default installation of Coldfusion 2018 on Windows 10:

$ ./jnbridge.py -p 6095 192.168.56.101 'whoami'
nt authority\system

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Apply the latest ColdFusion security patches, see [5].

Do not expose JNBridge listeners to untrusted parties.
In general, the JNBridge technology/protocol must not be used across
privilege boundaries. It appears unlikely that this technology can be
made reasonably secure, even with major changes to the protocol.

Securing a JNBridge listener seems non-trivial, there does not seem
to be built-in support for authentication and
"JNBridgePro supports secure cross-platform communications using SSL
(secure sockets library). SSL provides message encryption, server
authentication, and message integrity. Currently, client authentication
is not supported."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-03-18: Vulnerability discovered
2019-03-27: Vulnerability reported to manufacturer
2019-06-11: Patch released by manufacturer
2019-06-24: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for JNBridge
https://jnbridge.com/
[2] Product website for Adobe Coldfusion
https://www.adobe.com/products/coldfusion-family.html
[3] SySS Security Advisory SYSS-2019-006

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-006.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[5] Adobe Security Bulletin APSB19-27
https://helpx.adobe.com/security/products/coldfusion/apsb19-27.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close