• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Need help with /pms endpoint and CVE-2024-20767 & CVE-2023-38205

New Here ,
Apr 06, 2024 Apr 06, 2024

Copy link to clipboard

Copied

Hello team,

I'm Neh Patel, Penetration tester and security researcher.
Recenty i was conducting penetration test on a client's infrastructure where i got an old instance of Adobe ColdFusion.

 

After conducting a thorough analysis, we've discerned several vulnerabilities within this instance, which we believe could potentially pose significant security risks.

- CVE-2023-38205 - Access Control Bypass ( Bypass of CVE-2023-29298 )

- CVE-2024-20767 -  Local File Read

## A little introduction about above CVEs

### Part 1 :- CVE-2023-38205
As you know, When a request originates from an external IP address that is not present in the allow list, access to the requested resource is blocked 

Example : when you attempt to perform a remote method call wizardHash on the /CFIDE/wizards/common/utils.cfc endpoint from IP which is not in allowed list , the request fails due to the access control being in place 

CVE-2023-38205 allows an unauthenticated user/attacker to bypass this access control rule and allows us to access those endpoints which are meant to access from local network only
So we can access few endpoints which are meant to access from allowed IPs only with this CVE.

### Part 2 :- CVE-2024-20767
This CVE allows an unauthenticated user/attacker to read local file.

### Steps to read local file with CVE-2024-20767

To read local files with CVE-2024-20767, first of all, we have to retrive an "UUID" from following endpoint
ENDPOINT - 1  : CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat

This endpoint will return an "UUID" which will work as cookie or session id.

Now with that UUID, we have to send a request to following endpoint to READ the local file
ENDPOINT - 2 : /pms?module=logging

Now while sending request to above endpoint, the UUID will work as cookie or session ID.

### What's the problem 
In our case, all the endpoint are unaccessible as our IP is not in allowed IP list, so we used CVE-2023-38205 to bypass the Adobe ColdFusion's access control and we successfully send the request to "Endpoint - 1" and successfully obtained "UUID"

But while sending request to "ENDPOINT - 2", the request failed and returned "500 Internl Server Error".


Now in security community, you just can't report that this resource is vulnerable without showing them proper impact ( in this case, reading a local file will work as impact ).
So we are trying to use that UUID to read file which is not working.

## Our Questions :
1. Is it possible to use that UUID at some other endpoint ?
2.  I'm able to make a request to endpoint "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" as unauthneticated user, so is it possible to perform some action as unauthenticated user to some other endpoints ?
3. I tried changing "getHeartBeat" with few other methods from "ColdFusion Administrator API Reference", only method with "remote string <MethodName>" are working , so why i'm unable to request other methods ?

4. Is it possible to use this unauthenticated requests and create some more impact in my penetration test ?

 

 

TOPICS
Security , Server administration

Views

359

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 06, 2024 Apr 06, 2024

Copy link to clipboard

Copied

Build Number : 2018,0,19,330149

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Apr 06, 2024 Apr 06, 2024

Copy link to clipboard

Copied

Thanks for your explanation. Your question is now clear.

 

But before we go any further, please be informed that Adobe, the vendor of ColdFusion, did warn developers of these vulnerabilities. Adobe infact released patches (ColdFusion Updates) for  CVE-2023-38205 and for CVE-2024-20767.

 

Here are ome details about Adobe's patch releases for the two CVEs:

 

ColdFusion Version

Update to address vulnerability CVE-2023-38205,

July 19, 2023

Update to address vulnerability CVE-2024-20767,

March 12, 2024

ColdFusion 2018

Update 19

ColdFusion 2018’s “End of Core Support” is on July 13, 2024. So Adobe will not release this or any future  patch/update for ColdFusion 2018.

ColdFusion 2021

Update   9

Update 13

ColdFusion 2023

Update   3

Update   7

 

The build number 2018,0,19,330149 implies that your client is on ColdFusion 2018 Update 19. That in turn implies that your client is protected against CVE-2023-38205.

 

However, there is an important point for you and your client to note. As ColdFusion 2018's end-of-core-support was on July 13, 2023, you should no longer expect any more ColdFusion 2018 security updates from Adobe. One immediate consequence is that Adobe issued no patch against CVE-2024-20767 for ColdFusion 2018.

 

To answer your numbered questions,

  1.  It may be possible for someone to use the UUID to make a request to another CFC endpoint under /CFIDE/adminapi/.. I say this given the fact that you succeeded in getting the UUID. Having said that, I am unaware of any use-case or functionality in ColdFusion 2018 that involves a heartbeat that has a UUID value.
  2.  In any case, I had expected you, the user, to be authenticated. The fact that you could make an unauthenticated request to  "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" suggests to me that something went wrong when the ColdFusion Administrator / RDS password was set.
  3.  Given that "servermanager.cfc?method=getHeartBeat" works on that particular ColdFusion 2018 server, some other method from the ColdFusion Administrator API Reference just might work. But this is all hypothetical. There is a greater probability that authentication to adminapi requests isn't working as it should. I am curious to know what error messages you obtained when you attempted to request other methods.
  4.  Yes, it is possible to use the unauthenticated requests to create some more impact in your penetration test. The proof is the successful request., as unauthneticated user,, to the endpoint "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat". Adobe no longer patches ColdFusion 2018. So things will only get worse if your clients continues with it. 

 

In short: Using ColdFusion 2018 is risky and clients should be advised to upgrade to a more recent ColdFusion version.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 06, 2024 Apr 06, 2024

Copy link to clipboard

Copied

Hey BKBK,
Thank you very much for your detailed overview, it's more clearn now after reviewing your points.

Still have few doubts.


On point 3:- I tried other methods from API Ref. but it most of them returned "Internal Server Error", I guess Access Control is the reason.

On point 4: May i know how can i create more impact ( to be honest, this is my first engagement with Adobe ColdFusion instance so the only understanding i have is from public CVEs and some research blogs.

It would be great if we connect over twitter or discord to discuss this further
Again , it will help a lot.

My Twitter/X : - @thecyberneh
https://twitter.com/thecyberneh 






Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Apr 06, 2024 Apr 06, 2024

Copy link to clipboard

Copied

Also, can you share your twitter or discord so that i can contact you

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Apr 07, 2024 Apr 07, 2024

Copy link to clipboard

Copied

LATEST
quote

On point 3:- I tried other methods from API Ref. but it most of them returned "Internal Server Error", I guess Access Control is the reason.



By @Neh36567090oer0

There's your answer then. It would seem that, for some weird reason, there is an access check for other adminapi endpoints, but not for "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat". Could this be intentional or the result of a loophole in ColdFusion?

 

Ask Adobe's ColdFusion engineers: cfsup[at]adobe.com. We should hope they would be interested in spite of ColdFusion 2018's end-of-support.

 

quote

On point 4: May i know how can i create more impact ( to be honest, this is my first engagement with Adobe ColdFusion instance so the only understanding i have is from public CVEs and some research blogs.

 

You are already in possession of information that has the greatest impact:for your client:

  • From July 2023 onwards, Adobe no longer supports ColdFusion 2018. One immediate consequence is that there is no patch to address vulnerability CVE-2024-20767.
    In effect, ColdFusion 2018 is now as watertight as a basket.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation