Serious Vulnerability In Adobe ColdFusion Application Server

Outsmart Malicious Hackers


We haven’t often reported anything relating to ColdFusion, the application server from Adobe, most likely because it’s not a very prevalent hosting platform. It was quite popular earlier in the decade before PHP became so popular, the choices back then were early versions of ASP, JSP and CFM.

We’ve only posted one tool related to ColdFusion too which was – Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications.

Adobe seems to have tried to hide this one away and downgrade the severity of the exploit by classifying it as ‘important’ but not ‘critical’. Stating it could only lead to information disclosure via directory traversal. It seems however publicly released exploit code can utilise this vulnerability to take full control of any server running the unpatched version of ColdFusion.

A recently patched vulnerability in Adobe’s ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software.

In a bulletin published last week, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This directory traversal vulnerability could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems.

But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What’s more, they said attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out.

“This attack can lead to a full system compromise, so let’s make sure we’re clear,” HP researcher Rafal Los wrote here. “It’s not just that you can poke around the system files of the machine you’ve attacked (which is highly likely a MS Windows server); it’s also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.”

From what has been written about the flaw by researchers that have tested it out, it really should have been rated as critical. Plus the fact you can use some old school Google Hacking to find vulnerable servers means this could lead to some widespread mass defacements.

Well perhaps I shouldn’t really say mass defacements as there just aren’t that many servers running ColdFusion, and yes most of which are indeed running on Windows machines and most likely poorly maintained and not particularly secure Windows machines.

The bottom line, if you have any ColdFusion servers in your organization or within your realm of responsibility, get them patched ASAP.

One reason the vulnerability may have been rated critical is that attacks generally work only when ColdFusion administrative components are accessible over the public internet, something that’s not considered a best practice. Los pointed to Google searchers here , here, here and here, which over the weekend generated “a lot of results.”

Around the same time, a hacker who goes by the name Carnal0wnage posted attack code that reliably exploits the vulnerability.

Also over the weekend, hacker and penetration tester Adrian Pastor warned that attackers could exploit the vulnerability to login as a ColdFusion admin without needing to crack the cryptographic hash.

Adobe on Monday issued the following statement:

“The ColdFusion hotfix and security bulletin released on August 10, 2010 address a directory traversal vulnerability (CVE-2010-2861) that could lead to information disclosure (http://www.adobe.com/support/security/bulletins/apsb10-18.html). The vulnerability on its own has been rated as ”important” in accordance with the severity criteria available on the Adobe website at http://www.adobe.com/devnet/security/security_zone/severity_ratings.html. Because it is possible for a vulnerability to be exploited in combination with other factors that may impact the overall severity of an attack, Adobe always recommends users update their product installations in line with security best practices.”

To take complete control however the server admin would have had to ignore the ‘best-practice’ guidelines and allowed public access to administrative components of the ColdFusion server.

If you are interested you can find reliable exploit code here:

Adobe ColdFusion Directory Traversal Vulnerability

Source: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking


Latest Posts:


snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.


Comments are closed.