Copy link to clipboard
Copied
In a recent penetration testing engagement with Henil Gandhi, we found an old instance of Adobe #ColdFusion.
After conducting a thorough analysis, we've discerned several vulnerabilities within this instance.
List of vulnerabilities which we got :
- CVE-2023-38205 - Access Control Bypass ( Bypass of CVE-2023-29298 )
- CVE-2024-20767 - Arbitrary file system read using an Improper Access Control
To exploit CVE-2024-20767, we have to retrive "UUID" by sending a request to "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" endpoint.
Now we were able to get that "UUID" from above endpoint and we have to use that "UUID" to send a request to "/pms?module=logging" endpoint ( where UUID will work like a cookie ).
But we are unable to access that /pms endpoint because of access control ( which we bypassed in the case of "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" endpoint with the use of CVE-2023-38205.
So need your help with this as client will not accept the vulnerability with this low impact.
Copy link to clipboard
Copied
This reads as if you want to know how to open up the /pms path, currently blocked by what you call "access control". Is that right? And why is that?
And you're being asked to address vulnerabilities in "an old instance" of cf. What cf version is it? And what update level? If it's cf2021 or 2023, is it on their latest updates from last month? And if it's cf2018 or earlier, did you know those are no longer supported, no longer updated, and would have known vulns fixed only in more recent updates? And if any of this is true, is this effort of yours being done instead of updating?
It could help us to know where you're coming from, though you may feel yours is a simple question.
Copy link to clipboard
Copied
Hey Charlie, thanks for reply.
I added entire problem statement and more info at following discussion thread
Link : https://community.adobe.com/t5/coldfusion-discussions/need-help-with-pms-endpoint-and-cve-2024-20767...
https://community.adobe.com/t5/coldfusion-discussions/need-help-with-pms-endpoint-and-cve-2024-20767...
It includes all the details which will require to answer my question
Copy link to clipboard
Copied
That discussion, while interesting, doesn't answer the first questiin I raised. If you can't access that /pms url, what are you asking of us in this thread? How to open it? so that you can demonstrate the vulnerability? Why would your client want you to enable the vuln?
I get it: you're a security researcher, and you may know little about cf. So you've come to where you hope to find cf expertise to answer your questions. And some of us here are both cf experts and security researchers as well, having filed bug bounties and been responsible for Adobe updates closing such vulnerabilities. So when we ask follow up questions, we're not being hard-headed. We're asking you to help us help you.
Conversely, we're going to question anything that goes against good hygiene. We of course deal with LOTS of servers that are poorly configured. Our goal is to help folks address that, which isn't necessarily of interest to white or black hats. But press that point, we will. This is an Adobe community forum, after all.
There are plenty of other public support forums where you'll find people who would delight in showing folks how insecure they feel cf to be, and will even show how to make one insecure. Just saying you might be more successful there, if we're too focused here on ensuring people "do the right thing ".
But with that context clarified, I'll look forward to any refinement to your original question.
Copy link to clipboard
Copied
Dear Charlie,
Thank you for your thoughtful response and for highlighting the importance of addressing the initial question I raised
Apologies for overlooking your initial question.
In bug bounty scenarios, the goal is to maximize the impact of vulnerabilities for reporting purposes. This often involves demonstrating their severity, ideally categorizing them as High or Critical rather than Medium.
In response to your query, allow me to clarify that my client does not endorse the exploitation of vulnerabilities. Rather, as a security researcher engaged in bug bounty programs, the aim is to comprehensively assess potential threats and their impact. By demonstrating the severity of vulnerabilities, such as through escalating their classification to High or Critical, we can effectively advocate for prompt remediation.
I acknowledge your concern regarding adherence to ethical standards and avoiding actions that may compromise system integrity. My intention was solely to explore avenues for maximizing the impact of vulnerability assessments within ethical boundaries.
Once again, I apologize for any oversight in my previous communication and appreciate your patience in providing context. Moving forward, I am committed to refining my inquiries to ensure they align with the ethos of responsible security research and community engagement.
Thank you for your understanding and continued support.
Best regards,
Neh Patel
Copy link to clipboard
Copied
Ok, but I'll ask again more plainly: if the vuln requires running a /pms url--and that fails to work for you, what then is the question? How to open it? Isn't the fact that it's closed all the answer your client needs?
Or is your client not a cf customer but instead an org seeking how to break into cf systems? And if so are they wanting to know "what can cause it to be opened"?
The latter of course is a different perspective from which to ask, and this isn't really a place that I feel is appropriate to help divulge that--even to a security researcher. But again perhaps someone else will, whether here or elsewhere.
Copy link to clipboard
Copied
Hi @Neh36567090oer0 ,
Like Charlie, I, too, am confused by what you say. Some questions:
Copy link to clipboard
Copied
Hey bkbk, thanks for reply. Answers to your question s:
1. What is your ColdFusion version and update level Ans:- 2018,0,19,330149
2. Have you applied the ColdFusion updates recommended in the CVEs that you mention?
Ans :- i have nothing to do with updates, as a security researcher, all we have to do is identify vulnerability , get maximum impact of that vulnerability and report to client.
3. Does your last sentence mean that, after applying the updates recommended by the CVEs, you have identified yet another vulnerability which the client will not accept?
-> Nope buddy, the target instance has no patch
also we are doing black box penetration testing so we have no idea about source code, admin rules or other info
all they provide is scope of domains ( one of them has this ColdFusion instance running )
Copy link to clipboard
Copied
I have just posted a reply in that thread: