Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix failed login check in exploit/multi/http/coldfusion_rds for ColdFusion 9.something #12492

Merged
merged 7 commits into from Nov 7, 2019

Conversation

@wvu-r7
Copy link
Contributor

wvu-r7 commented Oct 24, 2019

It was merely "ColdFusion Administrator" for the version I tested. The /ColdFusion Administrator Login/ check earlier is fine, since it's the login page.

It was merely "ColdFusion Administrator" for the version I tested.
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Oct 24, 2019

Looks like only 10 and 11 are available for trial. I'll try 11 in the next few days and see what it says for continuity

@bcoles
bcoles approved these changes Oct 25, 2019
Copy link
Contributor

bcoles left a comment

untestsed. seems legit.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Oct 25, 2019

So it looks like I can't download a version that old.
Adobe ColdFusion 2018 (13)'s page says:
"Adobe ColdFusion (2018 Release) Administrator"

However, since this isn't an RDS scanner, but for a specific vulnerability, I can't test it. The changes seem legit enough.

Thinking more about this, I'd actually think the title should be changed. coldfusion_rds implies an RDS scanner/login checker. I think this should be moved to coldfusion_rds_bypass to more accurately describe what it does.

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Oct 26, 2019

I have tested it. It should be backward/forward-compatible, so long as the cookie is successfully obtained.

tl;dr The login page reported ColdFusion Administrator Login, and the logged-in interface reported ColdFusion Administrator (sans Login). I no longer have access to the target.

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Oct 26, 2019

I'm fine moving it. We can use deprecation by alias.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Oct 27, 2019

Unrelated to this PR; the module title appears to be lying through ommision:

      'Name'            => 'Adobe ColdFusion 9 Administrative Login Bypass',
      'Description'     => %q{
        Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote
wvu-r7 and others added 2 commits Oct 31, 2019
Fix style
Co-Authored-By: bcoles <bcoles@gmail.com>
@h00die h00die self-assigned this Nov 1, 2019
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 1, 2019

Somewhat related (checking those other module changes).

msf5 > use exploit/linux/http/cve_2019_1663_cisco_rmi_rce 
msf5 exploit(linux/http/cve_2019_1663_cisco_rmi_rce) > use exploit/linux/http/cisco_rv130_rmi_rce

[!] *           The module exploit/linux/http/cisco_rv130_rmi_rce has been moved!            *
[!] *            You are now using exploit/linux/http/cve_2019_1663_cisco_rmi_rce            *
msf5 exploit(linux/http/cisco_rv130_rmi_rce) > 

The text "you are now using..." seems strange to me, I would think my prompt would then change to that module instead of the previous one which I had asked it to load. If I'm now using the new module, why does it say the name of the old module? (I know why, just seems illogical to a newb like myself)

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Nov 1, 2019

You are "actually" using. I did find the wording confusing, too. I've removed "now" for clarity. I think it is sufficient without drastically rewording or explaining what happened.

It's confusing to the user, since they think the prompt will change.
Thanks, @h00die.
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 1, 2019

all looks good to me, once tests pass I'll get it landed

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Nov 5, 2019

@h00die: Tests passed, but the icon isn't updating. The build is here: https://travis-ci.org/rapid7/metasploit-framework/builds/606051322.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 6, 2019

Sounds good. I have a bunch of system changes pending for the janus module. Soon as that finishes and I land it, i'll land this directly after.

h00die added a commit that referenced this pull request Nov 7, 2019
@h00die h00die merged commit c9cc8c5 into rapid7:master Nov 7, 2019
2 of 3 checks passed
2 of 3 checks passed
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Nov 7, 2019

Release Notes

This PR enhances the coldfusion_rds module to detect vulnerable pages better. It also moves the module to be more appropriately named

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

wvu-r7 commented Nov 7, 2019

Thanks, @h00die!!

@wvu-r7 wvu-r7 deleted the wvu-r7:bug/coldfusion branch Nov 7, 2019
jmartin-r7 added a commit that referenced this pull request Nov 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.