Copy link to clipboard
Copied
Hello team,
I'm Neh Patel, Penetration tester and security researcher.
Recenty i was conducting penetration test on a client's infrastructure where i got an old instance of Adobe ColdFusion.
After conducting a thorough analysis, we've discerned several vulnerabilities within this instance, which we believe could potentially pose significant security risks.
- CVE-2023-38205 - Access Control Bypass ( Bypass of CVE-2023-29298 )
- CVE-2024-20767 - Local File Read
## A little introduction about above CVEs
### Part 1 :- CVE-2023-38205
As you know, When a request originates from an external IP address that is not present in the allow list, access to the requested resource is blocked
Example : when you attempt to perform a remote method call wizardHash on the /CFIDE/wizards/common/utils.cfc endpoint from IP which is not in allowed list , the request fails due to the access control being in place
CVE-2023-38205 allows an unauthenticated user/attacker to bypass this access control rule and allows us to access those endpoints which are meant to access from local network only
So we can access few endpoints which are meant to access from allowed IPs only with this CVE.
### Part 2 :- CVE-2024-20767
This CVE allows an unauthenticated user/attacker to read local file.
### Steps to read local file with CVE-2024-20767
To read local files with CVE-2024-20767, first of all, we have to retrive an "UUID" from following endpoint
ENDPOINT - 1 : CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat
This endpoint will return an "UUID" which will work as cookie or session id.
Now with that UUID, we have to send a request to following endpoint to READ the local file
ENDPOINT - 2 : /pms?module=logging
Now while sending request to above endpoint, the UUID will work as cookie or session ID.
### What's the problem
In our case, all the endpoint are unaccessible as our IP is not in allowed IP list, so we used CVE-2023-38205 to bypass the Adobe ColdFusion's access control and we successfully send the request to "Endpoint - 1" and successfully obtained "UUID"
But while sending request to "ENDPOINT - 2", the request failed and returned "500 Internl Server Error".
Now in security community, you just can't report that this resource is vulnerable without showing them proper impact ( in this case, reading a local file will work as impact ).
So we are trying to use that UUID to read file which is not working.
## Our Questions :
1. Is it possible to use that UUID at some other endpoint ?
2. I'm able to make a request to endpoint "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" as unauthneticated user, so is it possible to perform some action as unauthenticated user to some other endpoints ?
3. I tried changing "getHeartBeat" with few other methods from "ColdFusion Administrator API Reference", only method with "remote string <MethodName>" are working , so why i'm unable to request other methods ?
4. Is it possible to use this unauthenticated requests and create some more impact in my penetration test ?
Copy link to clipboard
Copied
Build Number : 2018,0,19,330149
Copy link to clipboard
Copied
Thanks for your explanation. Your question is now clear.
But before we go any further, please be informed that Adobe, the vendor of ColdFusion, did warn developers of these vulnerabilities. Adobe infact released patches (ColdFusion Updates) for CVE-2023-38205 and for CVE-2024-20767.
Here are ome details about Adobe's patch releases for the two CVEs:
ColdFusion Version |
Update to address vulnerability CVE-2023-38205, July 19, 2023 |
Update to address vulnerability CVE-2024-20767, March 12, 2024 |
ColdFusion 2018 |
Update 19 |
ColdFusion 2018’s “End of Core Support” is on July 13, 2024. So Adobe will not release this or any future patch/update for ColdFusion 2018. |
ColdFusion 2021 |
Update 9 |
Update 13 |
ColdFusion 2023 |
Update 3 |
Update 7 |
The build number 2018,0,19,330149 implies that your client is on ColdFusion 2018 Update 19. That in turn implies that your client is protected against CVE-2023-38205.
However, there is an important point for you and your client to note. As ColdFusion 2018's end-of-core-support was on July 13, 2023, you should no longer expect any more ColdFusion 2018 security updates from Adobe. One immediate consequence is that Adobe issued no patch against CVE-2024-20767 for ColdFusion 2018.
To answer your numbered questions,
In short: Using ColdFusion 2018 is risky and clients should be advised to upgrade to a more recent ColdFusion version.
Copy link to clipboard
Copied
Hey BKBK,
Thank you very much for your detailed overview, it's more clearn now after reviewing your points.
Still have few doubts.
On point 3:- I tried other methods from API Ref. but it most of them returned "Internal Server Error", I guess Access Control is the reason.
On point 4: May i know how can i create more impact ( to be honest, this is my first engagement with Adobe ColdFusion instance so the only understanding i have is from public CVEs and some research blogs.
It would be great if we connect over twitter or discord to discuss this further
Again , it will help a lot.
My Twitter/X : - @thecyberneh
https://twitter.com/thecyberneh
Copy link to clipboard
Copied
Also, can you share your twitter or discord so that i can contact you
Copy link to clipboard
Copied
On point 3:- I tried other methods from API Ref. but it most of them returned "Internal Server Error", I guess Access Control is the reason.
By @Neh36567090oer0
There's your answer then. It would seem that, for some weird reason, there is an access check for other adminapi endpoints, but not for "CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat". Could this be intentional or the result of a loophole in ColdFusion?
Ask Adobe's ColdFusion engineers: cfsup[at]adobe.com. We should hope they would be interested in spite of ColdFusion 2018's end-of-support.
On point 4: May i know how can i create more impact ( to be honest, this is my first engagement with Adobe ColdFusion instance so the only understanding i have is from public CVEs and some research blogs.
You are already in possession of information that has the greatest impact:for your client: