Skip to main content
N
Neh36567090oer0
Participating Frequently
April 6, 2024
Question

need help with /pms endpoint and also CVE-2024-20767 & CVE-2023-38205

  • April 6, 2024
  • 2 replies
  • 857 views

In a recent penetration testing engagement with Henil Gandhi, we found an old instance of Adobe #ColdFusion.

 

After conducting a thorough analysis, we've discerned several vulnerabilities within this instance.
List of vulnerabilities which we got : 
- CVE-2023-38205 - Access Control Bypass ( Bypass of CVE-2023-29298 )
- CVE-2024-20767 -  Arbitrary file system read using an Improper Access Control

To exploit CVE-2024-20767, we have to retrive "UUID" by sending a request to "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" endpoint.

Now we were able to get that "UUID" from above endpoint and we have to use that "UUID" to send a request to "/pms?module=logging" endpoint ( where UUID will work like a cookie ).
But we are unable to access that /pms endpoint because of access control ( which we bypassed in the case of "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" endpoint with the use of CVE-2023-38205.

So need your help with this as client will not accept the vulnerability with this low impact.

This topic has been closed for replies.

2 replies

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
April 6, 2024

Hi @Neh36567090oer0 ,

Like Charlie, I, too, am confused by what you say. Some questions:

  1.  What is your ColdFusion version and update level?
  2.  Have you applied the ColdFusion updates recommended in the CVEs that you mention?
  3.  Does your last sentence mean that, after applying the updates recommended by the CVEs, you have identified yet another vulnerability which the client will not accept? 
N
Neh36567090oer0Author
Participating Frequently
April 6, 2024

Hey bkbk, thanks for reply. Answers to your question s:


1. What is your ColdFusion version and update level Ans:- 2018,0,19,330149


2. Have you applied the ColdFusion updates recommended in the CVEs that you mention? 
Ans :- i have nothing to do with updates, as a security researcher, all we have to do is identify vulnerability , get maximum impact of that vulnerability and report to client.

3. Does your last sentence mean that, after applying the updates recommended by the CVEs, you have identified yet another vulnerability which the client will not accept? 
-> Nope buddy, the target instance has no patch

also we are doing black box penetration testing so we have no idea about source code, admin rules or other info
all they provide is scope of domains ( one of them has this ColdFusion instance running )

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
April 6, 2024

I have just posted a reply in that thread:

https://community.adobe.com/t5/coldfusion-discussions/need-help-with-pms-endpoint-and-cve-2024-20767-amp-cve-2023-38205/m-p/14539424#M197583 

Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
April 6, 2024

This reads as if you want to know how to open up the /pms path, currently blocked by what you call "access control". Is that right? And why is that?

 

And you're being asked to address vulnerabilities in "an old instance" of cf. What cf version is it? And what update level? If it's cf2021 or 2023, is it on their latest updates from last month? And if it's cf2018 or earlier, did you know those are no longer supported, no longer updated, and would have known vulns fixed only in more recent updates? And if any of this is true, is this effort of yours being done instead of updating?

 

It could help us to know where you're coming from, though you may feel yours is a simple question. 

/Charlie (troubleshooter, carehart. org)
N
Neh36567090oer0Author
Participating Frequently
April 6, 2024

Hey Charlie, thanks for reply.
I added entire problem statement and more info at following discussion thread
Link : https://community.adobe.com/t5/coldfusion-discussions/need-help-with-pms-endpoint-and-cve-2024-20767-amp-cve-2023-38205/m-p/14539424#M197583

https://community.adobe.com/t5/coldfusion-discussions/need-help-with-pms-endpoint-and-cve-2024-20767-amp-cve-2023-38205/m-p/14539424#M197583 

It includes all the details which will require to answer my question

Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
April 6, 2024

That discussion, while interesting, doesn't answer the first questiin I raised. If you can't access that /pms url, what are you asking of us in this thread? How to open it? so that you can demonstrate the vulnerability? Why would your client want you to enable the vuln?

 

I get it: you're a security researcher, and you may know little about cf. So you've come to where you hope to find cf expertise to answer your questions. And some of us here are both cf experts and security researchers as well, having filed bug bounties and been responsible for Adobe updates closing such vulnerabilities. So when we ask follow up questions, we're not being hard-headed. We're asking you to help us help you.

 

Conversely, we're going to question anything that goes against good hygiene. We of course deal with LOTS of servers that are poorly configured. Our goal is to help folks address that, which isn't necessarily of interest to white or black hats. But press that point, we will. This is an Adobe community forum, after all.

 

There are plenty of other public support forums where you'll find people who would delight in showing folks how insecure they feel cf to be, and will even show how to make one insecure. Just saying you might be more successful there, if we're too focused here on ensuring people "do the right thing ".

 

But with that context clarified, I'll look forward to any refinement to your original question. 

/Charlie (troubleshooter, carehart. org)
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices