I just pushed out code coverage for the Adobe XML External Entity Injection vulnerability in multiple adobe products including: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and
8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data
Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2
References Here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3960
http://www.osvdb.org/62292
http://www.securityfocus.com/bid/38197
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
http://www.adobe.com/support/security/bulletins/apsb10-05.html
I recommend you read security-asessment's pdf on it, its good.
Anyway, its a cool bug.
1 -->because it affects several products although most people have probably never heard of most of them except for ColdFusion.
2 -->its enabled by default on all those products you've never heard of except for ColdFusion, with the exception of CF 8 which appears to have it turned on by default.
3 -->You have to apply patches for CF individually and there is no automated process. Since this vuln got little media attention I've seen alot of hosts that are still missing this patch and/or didn't turn off the vuln service.
On with the demo!
So against a patched host or someone that has disabled the service in ColdFusion you'll see one of two things; either 404's for the checks or 200 for /flex2gateway/ and 500 for the http or https check.
If you get a bunch of 400's then you need to set the VHOST
When it works, you'll see something like this for /etc/passwd
and like this when you asked for a file that doesn't exist or doesn't have permission to read (since CF doesn't run as root on linux, requesting /etc/shadow wont work) :-(
At this point, you're probably like "so what" well whats cool about arbitrary file read is that 1. it also works on Windows:
and 2. that whole
password.properties attack is now cool again because you can just request that file too
-CG