Serious Vulnerability In Adobe ColdFusion Application Server


We haven’t often reported anything relating to ColdFusion, the application server from Adobe, most likely because it’s not a very prevalent hosting platform. It was quite popular earlier in the decade before PHP became so popular, the choices back then were early versions of ASP, JSP and CFM.

We’ve only posted one tool related to ColdFusion too which was – Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications.

Adobe seems to have tried to hide this one away and downgrade the severity of the exploit by classifying it as ‘important’ but not ‘critical’. Stating it could only lead to information disclosure via directory traversal. It seems however publicly released exploit code can utilise this vulnerability to take full control of any server running the unpatched version of ColdFusion.

A recently patched vulnerability in Adobe’s ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software.

In a bulletin published last week, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This directory traversal vulnerability could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems.

But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What’s more, they said attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out.

“This attack can lead to a full system compromise, so let’s make sure we’re clear,” HP researcher Rafal Los wrote here. “It’s not just that you can poke around the system files of the machine you’ve attacked (which is highly likely a MS Windows server); it’s also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.”

From what has been written about the flaw by researchers that have tested it out, it really should have been rated as critical. Plus the fact you can use some old school Google Hacking to find vulnerable servers means this could lead to some widespread mass defacements.

Well perhaps I shouldn’t really say mass defacements as there just aren’t that many servers running ColdFusion, and yes most of which are indeed running on Windows machines and most likely poorly maintained and not particularly secure Windows machines.

The bottom line, if you have any ColdFusion servers in your organization or within your realm of responsibility, get them patched ASAP.

One reason the vulnerability may have been rated critical is that attacks generally work only when ColdFusion administrative components are accessible over the public internet, something that’s not considered a best practice. Los pointed to Google searchers here , here, here and here, which over the weekend generated “a lot of results.”

Around the same time, a hacker who goes by the name Carnal0wnage posted attack code that reliably exploits the vulnerability.

Also over the weekend, hacker and penetration tester Adrian Pastor warned that attackers could exploit the vulnerability to login as a ColdFusion admin without needing to crack the cryptographic hash.

Adobe on Monday issued the following statement:

“The ColdFusion hotfix and security bulletin released on August 10, 2010 address a directory traversal vulnerability (CVE-2010-2861) that could lead to information disclosure (http://www.adobe.com/support/security/bulletins/apsb10-18.html). The vulnerability on its own has been rated as ”important” in accordance with the severity criteria available on the Adobe website at http://www.adobe.com/devnet/security/security_zone/severity_ratings.html. Because it is possible for a vulnerability to be exploited in combination with other factors that may impact the overall severity of an attack, Adobe always recommends users update their product installations in line with security best practices.”

To take complete control however the server admin would have had to ignore the ‘best-practice’ guidelines and allowed public access to administrative components of the ColdFusion server.

If you are interested you can find reliable exploit code here:

Adobe ColdFusion Directory Traversal Vulnerability

Source: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


Comments are closed.