Monday, April 23, 2012

From LOW to PWNED [2] ColdFusion



Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [2] ColdFusion

Whhhhaaaat? ColdFusion?
  • Originally released in 1995 by Allaire
  • Motivation: make it easier to connect simple HTML pages to a database
  • Along the way became full Java
  • Latest version is ColdFusion 9 released in 2009
  • Most recent features focus on integration with other technologies, e.g. Flash, Flex, AIR, Exchange, MS Office, etc.
  • Frequent to see CF 7 - 9 on the web
  • Open Source CFML avalable as well
  • BlueDragon, Railo, Mura CMS
Background Reading:

http://carnal0wnage.attackresearch.com/2011/12/not-0wning-that-coldfusion-server-but.html
http://averagesecurityguy.info/2011/12/09/owning-a-coldfusion-server/
https://media.blackhat.com/bh-us-10/presentations/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-slides.pdf
https://media.blackhat.com/bh-us-10/whitepapers/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-wp.pdf
http://www.orkspace.net/secdocs/Conferences/EuSecWest/2006/ColdFusion%20Security.pdf

LOW?


Two nice bugs exist that I don't think vuln scanners commonly check for


Locale traversal CVE: 2010-2861
coldfusion_locale_traversal.rb

great overview/walkthru here: http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
Vulnerable Versions:
ColdFusion MX6 6.1 base patches
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4
ColdFusion 9?  Immunity reported yes, but Adobe fixed downloadable version of 9. so maaaaaaybe if old version of 9.

*no patches exist for 6 & 7 so if you see CF6 or CF7 its always vuln to the bug*



There's lots more to the ColdFusion story, enough that I recently gave a talk on it.
CG

6 comments:

nebulus said...

Hey CG, think you'll like this :)

https://dev.metasploit.com/redmine/issues/6822

Good article as always, though would be nice to see the slides...

CG said...

im working on getting the slides to the SOURCE ppl. im actually way late on them.

i'll try to get them posted tonight.

Brad Wood said...

The history of CF is a little out of date. It says the latest version is 9. The latest version of ColdFusion is actually 11 and came out a couple months ago. CF also has some nice secure-by-default installation options to help admins lock it down.

CG said...

@brad will the post IS two years old :-/

Brad Wood said...

Yeah, I saw that *after* I posted. I came here from a link on Twitter and assumed it was a recent article.

CG said...

yeah it needs an update. probably not gonna happen soon though.