MACROMEDIA COLDFUSION 5 - CFML Bedienungsanleitung

ColdFusion for Pentesters Chris Gates Carnal0wnage Lares Consulting

• inurl:/index.cfm Finding Sites Running ColdFusion

• CFM Shells • Sky’s the limit! • Pretty much anything you can code in Java, CF will run for you • ColdFusion 9 and above support cfscript == javascri

• http://www.petefreitag.com/ lots of defense/CF hardening info • http://www.bennadel.com/blog/ • http://www.raymondcamden.com/ http://12robots.com/

Questions? @carnal0wnage cgates [] laresconsulting[] com Chris Gates

• Who doesn’t love Google Dorks… • filetype:cfm "cfapplication name" password • inurl:login.cfm • intitle:"Error Occurred" "

• inurl:/CFIDE/componentutils/ Finding Sites Running ColdFusion

• inurl:/CFIDE/componentutils/ (Find misconfigured servers) Finding Sites Running ColdFusion

• http://www.gotcfm.com/thelist.cfm Finding Sites Running ColdFusion

• Delicious  Finding Sites Running ColdFusion

• ColdFusion 5 ColdFusion Hit list

• ColdFusion 6 ColdFusion Hit list

• ColdFusion 7 ColdFusion Hit list

• ColdFusion 8 ColdFusion Hit list

• Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Partner/Principal Security Consultant at Lares – Affiliation

• ColdFusion 9 ColdFusion Hit list

• ColdFusion 10 ColdFusion Hit list

• Metasploit Module to find ColdFusion URLs ColdFusion Scanner

• Metasploit Module to find ColdFusion URLs ColdFusion Scanner

• http://www.cvedetails.com/version-list/53/8739/1/Adobe-Coldfusion.html Attacking ColdFusion

• Common Vulnerabilities – Information Disclosure – XSS – SQL Injection – Admin Interfaces Exposed (more later) Attacking ColdFusion

• Information Disclosure • Need to determine standard vs Enterprise ColdFusion? * • Just request a .jsp page – Standard versions don’t do JSP and will

• Enterprise Attacking ColdFusion

• Standard Attacking ColdFusion

• Information Disclosure Attacking ColdFusion

• What is ColdFusion • Who uses ColdFusion • Finding sites running ColdFusion • Attacking ColdFusion – Common vulnerabilities – Insta-Shell – Gotta wo

Attacking ColdFusion

Attacking ColdFusion

Attacking ColdFusion

Attacking ColdFusion

• XSS • Generally XSS is boring, but wait until we talk about cookies…. • ColdFusion has scriptProtect helps strip out <script> tags • The black

• XSS Attacking ColdFusion

• XSS Attacking ColdFusion

• SQL Injection • If you see =somenumber go after it <cfquery name="getContent" dataSource="myDataSource"> select title fro

• SQL Injection • http://site.com/links/apply.cfm?id=(@@version) Attacking ColdFusion

• Insta-Shell • BlazeDS/AMF External XML Entity Injection (CVE-2009-3960) • File Upload Vulnerability in CF8 FCKeditor (APSB09-09) • ‘locale’ Path Tra

• Kept running into ColdFusion on pentests • Last “pentester” talk on ColdFusion was 2006 at EUSec – http://eusecwest.com/esw06/esw06-davis.pdf • Chr

• Patching – ColdFusion requires manual patching, unzip in folder, overwrite a jar, etc – Admin interface doesn’t alert you to available patches – I’

• Pro Tip • Determining version is helpful for insta-shell exploits • Metasploit module can tell you by admin interface, or you can just look at CFIDE

• Or you can check the wsdl  • /CFIDE/adminapi/base.cfc?wsdl – Checked on 7-9 Attacking ColdFusion

Attacking ColdFusion

Attacking ColdFusion

• BlazeDS/AMF External XML Entity Injection – Advisory pdf: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XM

• BlazeDS/AMF External XML Entity Injection • http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_Extern

Attacking ColdFusion • BlazeDS/AMF External XML Entity Injection

Attacking ColdFusion • FCKeditor (apsb09-09) • ColdFusion 8.01 enabled the ColdFusion FCKeditor connector && FCKeditor vulns == unauth fileupl

Attacking ColdFusion • (related) FCKeditor (CVE 2009-2265) input sanitization issues • FCKeditor prior to 2.6.4.1 • Can also check version with a GET

• CFML = ColdFusion Markup Language • ColdFusion = Adobe’s product that handles CFML page/libs – Runs on Windows, Solaris, HP/UX and Linux – Apache,

Attacking ColdFusion • “Locale” Directory Traversal • Full walkthru here: • http://www.gnucitizen.org/blog/coldfusion-directory-traversal-

Attacking ColdFusion • http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ • TL;DR – You can pass the hash • Mod

Attacking ColdFusion • “Locale” Directory Traversal • Vulnerable Versions: • ColdFusion MX6 6.1 base patches ColdFusion MX7 7,0,0,91690 base patches

Attacking ColdFusion • “Locale” Directory Traversal • ColdFusion 7 is always vuln, no patch

Attacking ColdFusion • Yeah, CF 8 too (has patch)

Attacking ColdFusion • Problem with traversal exploit, is you need to know full path. • Manageable on Windows… • Can be anywhere on *nix – Cue path di

Attacking ColdFusion • Componentutils (Component cfcexplorer) • Documentation for functions, includes full paths 

• Gotta work for it… • Brute Force RDS Access (If Enabled) – Check if RDS is enabled  – Brute force RDS • Brute Force Admin Interfaces – Main login p

• RDS = Remote Development Services • “In ColdFusion Studio/Builder/Eclipse, you can connect to and work with the files on any server that has ColdFus

• RDS Attacking ColdFusion

http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf-evangelist-kit.pdf Who Uses ColdFusion?

• RDS Attacking ColdFusion

• RDS Attacking ColdFusion

• Admin Interfaces • Prior to CF8 only password auth, CF 8 introduces usernames • Easy to tell if just “admin” or other usernames Attacking ColdFusion

Attacking ColdFusion

Attacking ColdFusion

• Admin Interfaces • /CFIDE/administrator/index.cfm salts the password Attacking ColdFusion

• Lots of other pages don’t  • Ex. /CFIDE/componentutils/login.cfm Attacking ColdFusion

• Get the password right, CF sets a cookie Attacking ColdFusion

• Metasploit Module • Can do this easily in Burp Suite as well Attacking ColdFusion

Your passwords suck

http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf-evangelist-kit.pdf Who Uses ColdFusion?

• Other Stuff • Solr • Interacting with CFC’s • Cookies Attacking ColdFusion

• Solr APSB10-04 (Information Disclosure) – “Vulnerability in Solr could allow access to collections created by the Solr Service to be accessed from

• Solr APSB10-04 (Information Disclosure) Attacking ColdFusion

• Interacting with CFC’s http://example.com/foo.cfc?method=mymethod&arga=val1&argb=val2 • This URL will invoke method mymethod on an anonymous

• Cookies • Normally that XSS pop up with the session cookie is pretty lame. • “Supposed” to have a limited lifespan. • BUT cfadmin cookie and cfutils

• Example Admin Cookie: CFAUTHORIZATION_cfadmin=YWRtaW4NRTM4QUQyMTQ5NDNEQUFEMUQ2NEMxMDJGQUVDMjlERTRBRkU5REEzRA1jZmFkbWlu • Base64Decodes to: – admin –

• To Recap… • Got the cfadmin cookie • No randomness at all in the cookie • SSL not enabled by default on admin interface • Cookie base64 decodes to t

• CFAUTHORIZATION_componentutils=cGFzc3dvcmQxDXBhc3N3b3JkMQ1jb21wb25lbnR1dGlscw== • Base64Decodes to: – password1 – password1 – componentutils • OMGW

• But real world? Attacking ColdFusion

Who Uses ColdFusion? http://www.bricecheddarn.com/blog/post.cfm/universities-love-using-coldfusion

• But real world? Attacking ColdFusion

• From 2009 to 2012… Attacking ColdFusion

• ColdFusion Privilege Level • Scheduling tasks • Executing code • Decrypting database credentials • CFM Shells Post Exploitation

• ColdFusion (by default) runs as SYSTEM on Windows and NOBODY ON *nix • Obviously, CF on Windows is what you want • Sites that run other languages t

• Scheduling Tasks • Once you have access to admin interface you can schedule a task to download code/executables/ bat files/etc Post Exploitation

Post Exploitation

• Executing code • Once you have code/exe on box you can create a system probe (that we want to fail) to make the code execute • Or if you put cfm/jsp

Post Exploitation

Post Exploitation

Post Exploitation

http://www.getmura.com/index.cfm/overview/who-uses-mura/ Who Uses ColdFusion [MURA CMS]?

• Decrypting database credentials • http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html Post Exploitation

• Go to DataSource Selection Post Exploitation

• Click on DataSource (ex TEST) Post Exploitation

• View Source, get value Post Exploitation

• Decrypt it $ python coldfusiondecrypt.py maJsuHYMay8zpmptC2yibA== Coldfusion v7 y v8 DataSource password decryptor (c) 2008 Hernan Ochoa (hernan@gm

• If you have file system access, just grab the XML files • Coldfusion 7: \lib\neo-query.xml for example: c:\CFusionMX7\lib\neo-query.xml • Coldfusi

• CFM Shells • ColdFusion has several handy CFML tags: – CFEXECUTE – CFREGISTRY – CFFILE – CFHTTP Simple CFM Shell: <html> <body> <cfe

• CFM Shells • Its common to disable CFEXECUTE* • CF also runs java so: <cfset runtime = createObject("java", "java.lang.System"

Post Exploitation

• CFM Shells • Remember Enterprise vs Standard? – Enterprise runs jsp, so some jsp shells will work too (depends on the shell’s java version requireme