Owning a ColdFusion Server

Back in November Chris Gates, @carnal0wnage, gave a talk called “From LOW to PWND” at BSides Atlanta. In the talk he discussed a ColdFusion directory traversal vulnerability that allows the admin password hash to be downloaded. More details can be found at GNUCitizen. Once the password is downloaded it can be cracked, it is a SHA1 hash, or it can be used to login to the server. The article on GNUCitizen includes step-by-step instructions for authenticating to the server using the hash.

On a recent job I came across a vulnerable ColdFusion server, downloaded the hash and followed the instructions for logging in with the hash. I was unsuccessful in my attempts to login because the server refreshed the page every 30 seconds and I couldn’t go through all of the steps fast enough. So, I did what anyone in their right mind would do and wrote a script. The script uses the directory traversal flaw to download the password.properties file, extract the password, extract the “salt” on the login page, and login to the page with the salted admin hash. If all goes well, the authorization cookie will be set and printed to the screen. The cookie can be manually added to firefox using the Cookies Manager+ addon to gain administrative control of the ColdFusion server. From there a ColdFusion shell can be uploaded and commands can be run on the server with SYSTEM level privileges. The script is available on Github.

Another interesting file to download is the neo-datasource.xml file, which contains 3DES encrypted passwords for the backend database connections. The passwords can be easily decrypted because the encryption key is static and is used on all ColdFusion servers. The passwords are buried in the file and are a pain to locate manually. Again, I did what anyone else would do and wrote a script. The cfneo.rb script will download a neo-datasource.xml file from a vulnerable server, find all the encrypted passwords, and decrypt them. It uses the RexTable module to print the encrypted and decrypted passwords in a nice table. The cfneo.rb and rextable.rb scripts can be downloaded from Github.

The ColdFusion locale directory traversal flaw affects a number of pages and sometimes requires a different path. Some of the other affected pages and another possible path can be found in Chris Gates’s POC python script on exploit-db.com. Details about decrypting the neo-datasource.xml file can be found at the HEXALE blog.

Update

When I was researching and writing this script I found this metasploit module, which is an auxiliary module that scans for vulnerable ColdFusion servers. I totally missed this metasploit module, which is an exploit module. I can’t seem to find it in the latest version of metasploit, which must be why I missed it the first time.

Enjoy these tools and remember only use them for good.

About these ads

3 responses to “Owning a ColdFusion Server

  1. I did it the very same, never published because lack of time, however your work is far better :) … I did a similar thing for Coldfusion MX 6 too (old… I know); it uses a different way to “hash” (it’s a cipher) password – a sort of XOR with the same hardcoded key. This method was the default one in that version, so I needed to reverse it to get credentials. If someone needs this piece of code, can contact me.

  2. Thanks for the script! I modified the regex to:

    data.scan(/\([a-zA-Z0-9\+\/]+[=]+)\/m)

    Which also finds very short passwords that only have one equals sign after them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s