cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

At least one improperly configured Windows service may have a privilege escalation vulnerability.

uhururuto12
New Here ,
May 18, 2023 May 18, 2023

Copy link to clipboard

Copied

How do you remediate the below issue after a Tenable scan reports the below

 

Plugin Output:
Path : c:\coldfusion2018\cfusion\bin\coldfusionsvc.exe
Used by services : ColdFusion 2018 Application Server
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\db\slserver54\bin\swagent.exe
Used by services : ColdFusion 2018 ODBC Agent
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\db\slserver54\bin\swstrtr.exe
Used by services : ColdFusion 2018 ODBC Server
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\jetty\jetty.exe
Used by services : ColdFusion2018Add-onServices
File write allowed for groups : Authenticated Users (S-1-5-11)

Path : c:\coldfusion2018\cfusion\jnbridge\cfdotnetsvc.exe
Used by services : ColdFusion 2018 .NET Service
File write allowed for groups : Authenticated Users (S-1-5-11)

Views

558

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 9 Replies 9
latest latest Jump to latest reply
Charlie Arehart Community Expert
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

You'd want to identify the group (S-1-5-11) and its users, and decide whether to remove its permissions from that folder--or remove the group if it's some old unneeded one (the name seems unusual).

 

The only user that needs write access to that folder is the user running the cf odbc services (viewable in the Windows Services panel), which by default is the System account (and which has write permission by default). 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
uhururuto12
New Here ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

In Response To Charlie Arehart

Can I remove the authenticated users and then add Local system? Will that break anything?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

In Response To uhururuto12

That should work fine, assuming CF and related services are running in the Local System security context.

 

Dave Watts, Eidolon LLC 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

Strange. I suspect that something was changed in your ColdFusion 2018 installation.

 

I say this because, when ColdFusion is installed, the files in the following directories are Read-Only by default:

  • c:\coldfusion2018\cfusion\bin
    c:\coldfusion2018\cfusion\db\slserver54\bin
    c:\coldfusion2018\cfusion\jetty
    c:\coldfusion2018\cfusion\jnbridge

 

Take the first directory, for example. If you navigate to c:\coldfusion2018\cfusion\, right-click on bin and select Properties, you should see something like:

BKBK_0-1684498743528.png

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

The "Authenticated Users" group is a dynamic one, consisting of any user who's successfully authenticated. You can restrict these directories to the CF user account and an administrator.

 

Dave Watts, Eidolon LLC 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Charlie Arehart Community Expert
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

In Response To Dave Watts

Hey, Dave. In your experience, does that message they showed add that number--in their case, (S-1-5-11)--when displaying it, and when indeed its the only group of that name (authenticated users) on that system?

 

I'd thought I'd seen that number added when it was not, but I could be confusing matters. 

 

Anyway, let's all see what the op may offer. We 3 musketeers have given them plenty to consider.  🙂

 

Also, Dave, please see a direct message I'd sent within here a couple of days ago. (I often miss them, myself.) 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

In Response To Charlie Arehart

@uhururuto12 , you can find out the details of the user(s) S-1-5-11. To do so, proceed as follows:

  1.  Download the ZIP file LogonSessions from the Microsoft website.
  2.  Copy the downloaded file, LogonSessions.zip, to C:\temp. Extract it there.
         The resulting directory, C:\temp\logonSessions, contains the files Eula.txt, logonsessions.exe, logonsessions64.exe and logonsessions64a.exe. 
  3.  Still inside C:\temp, create a file containing the following command:
    @ECHO OFF 
:: This batch file reveals Windows log-on processes.
C:\temp\logonSessions\logonsessions64.exe -p 
PAUSE
    and save it as getLogonSessions.bat 

  4.  Right-click on C:\temp\getLogonSessions.bat and select Run as Administrator.
  5.  Scroll along in the CMD window and locate the sessions with an Sid value of S-1-5-11.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied

LATEST
In Response To Charlie Arehart

I do know that's the RID (relative identifier) for the "Authenticated Users" group and is used as part of the Windows SID for that group. It's not really a new thing, but because membership is contextual so to speak, most people don't think too much about it. It's a great convenience compared to the Everyone Group or any of the other groups with fixed membership. I don't know which versions of Windows show the SID along with the name of the group or user.

 

https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids

 

Also, I did see the DM and got in touch with the person. Thanks!

 

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Josh28586295ez4u
Community Beginner ,
May 19, 2023 May 19, 2023

Copy link to clipboard

Copied


Based on the Tenable scan report you provided, it appears that the ColdFusion 2018 application server and its associated components have file write permissions allowed for the "Authenticated Users" group (S-1-5-11). This could potentially pose a security risk as it allows any authenticated user on the system to modify these files.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices