Skip to main content
N
Neh36567090oer0
Participating Frequently
April 6, 2024
質問

Need help with /pms endpoint and CVE-2024-20767 & CVE-2023-38205

  • April 6, 2024
  • 返信数 2.
  • 1013 ビュー

Hello team,

I'm Neh Patel, Penetration tester and security researcher.
Recenty i was conducting penetration test on a client's infrastructure where i got an old instance of Adobe ColdFusion.

 

After conducting a thorough analysis, we've discerned several vulnerabilities within this instance, which we believe could potentially pose significant security risks.

- CVE-2023-38205 - Access Control Bypass ( Bypass of CVE-2023-29298 )

- CVE-2024-20767 -  Local File Read

## A little introduction about above CVEs

### Part 1 :- CVE-2023-38205
As you know, When a request originates from an external IP address that is not present in the allow list, access to the requested resource is blocked 

Example : when you attempt to perform a remote method call wizardHash on the /CFIDE/wizards/common/utils.cfc endpoint from IP which is not in allowed list , the request fails due to the access control being in place 

CVE-2023-38205 allows an unauthenticated user/attacker to bypass this access control rule and allows us to access those endpoints which are meant to access from local network only
So we can access few endpoints which are meant to access from allowed IPs only with this CVE.

### Part 2 :- CVE-2024-20767
This CVE allows an unauthenticated user/attacker to read local file.

### Steps to read local file with CVE-2024-20767

To read local files with CVE-2024-20767, first of all, we have to retrive an "UUID" from following endpoint
ENDPOINT - 1  : CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat

This endpoint will return an "UUID" which will work as cookie or session id.

Now with that UUID, we have to send a request to following endpoint to READ the local file
ENDPOINT - 2 : /pms?module=logging

Now while sending request to above endpoint, the UUID will work as cookie or session ID.

### What's the problem 
In our case, all the endpoint are unaccessible as our IP is not in allowed IP list, so we used CVE-2023-38205 to bypass the Adobe ColdFusion's access control and we successfully send the request to "Endpoint - 1" and successfully obtained "UUID"

But while sending request to "ENDPOINT - 2", the request failed and returned "500 Internl Server Error".


Now in security community, you just can't report that this resource is vulnerable without showing them proper impact ( in this case, reading a local file will work as impact ).
So we are trying to use that UUID to read file which is not working.

## Our Questions :
1. Is it possible to use that UUID at some other endpoint ?
2.  I'm able to make a request to endpoint "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" as unauthneticated user, so is it possible to perform some action as unauthenticated user to some other endpoints ?
3. I tried changing "getHeartBeat" with few other methods from "ColdFusion Administrator API Reference", only method with "remote string <MethodName>" are working , so why i'm unable to request other methods ?

4. Is it possible to use this unauthenticated requests and create some more impact in my penetration test ?

 

 

このトピックへの返信は締め切られました。

返信数 2

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
April 6, 2024

Thanks for your explanation. Your question is now clear.

 

But before we go any further, please be informed that Adobe, the vendor of ColdFusion, did warn developers of these vulnerabilities. Adobe infact released patches (ColdFusion Updates) for  CVE-2023-38205 and for CVE-2024-20767.

 

Here are ome details about Adobe's patch releases for the two CVEs:

 

ColdFusion Version

Update to address vulnerability CVE-2023-38205,

July 19, 2023

Update to address vulnerability CVE-2024-20767,

March 12, 2024

ColdFusion 2018

Update 19

ColdFusion 2018’s “End of Core Support” is on July 13, 2024. So Adobe will not release this or any future  patch/update for ColdFusion 2018.

ColdFusion 2021

Update   9

Update 13

ColdFusion 2023

Update   3

Update   7

 

The build number 2018,0,19,330149 implies that your client is on ColdFusion 2018 Update 19. That in turn implies that your client is protected against CVE-2023-38205.

 

However, there is an important point for you and your client to note. As ColdFusion 2018's end-of-core-support was on July 13, 2023, you should no longer expect any more ColdFusion 2018 security updates from Adobe. One immediate consequence is that Adobe issued no patch against CVE-2024-20767 for ColdFusion 2018.

 

To answer your numbered questions,

  1.  It may be possible for someone to use the UUID to make a request to another CFC endpoint under /CFIDE/adminapi/.. I say this given the fact that you succeeded in getting the UUID. Having said that, I am unaware of any use-case or functionality in ColdFusion 2018 that involves a heartbeat that has a UUID value.
  2.  In any case, I had expected you, the user, to be authenticated. The fact that you could make an unauthenticated request to  "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" suggests to me that something went wrong when the ColdFusion Administrator / RDS password was set.
  3.  Given that "servermanager.cfc?method=getHeartBeat" works on that particular ColdFusion 2018 server, some other method from the ColdFusion Administrator API Reference just might work. But this is all hypothetical. There is a greater probability that authentication to adminapi requests isn't working as it should. I am curious to know what error messages you obtained when you attempted to request other methods.
  4.  Yes, it is possible to use the unauthenticated requests to create some more impact in your penetration test. The proof is the successful request., as unauthneticated user,, to the endpoint "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat". Adobe no longer patches ColdFusion 2018. So things will only get worse if your clients continues with it. 

 

In short: Using ColdFusion 2018 is risky and clients should be advised to upgrade to a more recent ColdFusion version.

    N
    Neh36567090oer0作成者
    Participating Frequently
    April 6, 2024

    Hey BKBK,
    Thank you very much for your detailed overview, it's more clearn now after reviewing your points.

    Still have few doubts.


    On point 3:- I tried other methods from API Ref. but it most of them returned "Internal Server Error", I guess Access Control is the reason.

    On point 4: May i know how can i create more impact ( to be honest, this is my first engagement with Adobe ColdFusion instance so the only understanding i have is from public CVEs and some research blogs.

    It would be great if we connect over twitter or discord to discuss this further
    Again , it will help a lot.

    My Twitter/X : - @thecyberneh
    https://twitter.com/thecyberneh 






    N
    Neh36567090oer0作成者
    Participating Frequently
    April 6, 2024

    Also, can you share your twitter or discord so that i can contact you

    N
    Neh36567090oer0作成者
    Participating Frequently
    April 6, 2024

    Build Number : 2018,0,19,330149

    契約条件Accessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices