An SSRF to LFI Payload for PDF Generators (CVE-2024-34112 and beyond)

"Hola, amigos. How’s it hangin’? I know it’s been a long time since I last rapped at ya, but I've been busier than a feather plucker on nickel wing night, ya know?  You old buddy Jimbo found some discarded books out back next to the dumpster at the inconvenience store about something called 'Cold Fusion' and I've been reading through those bad boys.  Shoulda called it CON-Fusion if ya ask me.  But I've been having trouble reading the printed word and gettin' these awful headaches ever since I popped in side two of 'Hemispheres' and lit up some sweet Thai Stick I found underneath the passenger side seat of my crapbox Festiva -- that turned out to be the taquito I dropped last July after the Dane County Fair.  It just goes to show ya, yours truly can't catch a break in this world."

[ It was at this point that we decided it wouldn't be a good idea to let Mr. Anchower write the entire blog post.  We weren't wrong.   -Ed. ]

Ahem.  Quick post for today on an SSRF payload that can potentially be used for local file retrieval.  I'll be framing it in the context of CVE-2024-34112, but it could be a viable attack against any application that is doing server-side PDF generation with user-controlled data.  

An Initial Analysis of Adobe ColdFusion CVE-2024-53961

A ColdFusion security patch released two days before Christmas?  I have a feeling that may have resulted in many sysadmins shouting "Fiddlesticks!" (or perhaps another f-word) earlier today.  And on that note, may I suggest this perfect album for a little holiday cheer after the servers have been patched, the wine has been mulled, and the goose has been roasted to perfection:

Ghosts of Vulnerabilities Past?

Adobe released APSB24-107 today, which addresses one vulnerability in ColdFusion tracked as CVE-2024-53961 and described as a path traversal that could lead to file retrieval.  Based on a quick review of the corresponding patches, it appears to be a security enhancement that improves protection (and possibly remediates bypasses) against the attack vectors first addressed in APSB24-14 / CVE-2024-20767 back in March.  

BSidesLV 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Thank you to BSidesLV for the opportunity to speak this year.  The slides from my talk, Modern ColdFusion Exploitation and Attack Surface Reduction, are now online below.  They're pretty similar to my Summercon slides, with a few updates.

On ColdFusion Administrator Access Control Bypass Techniques

Introduction

Access Control is frequently boring but important.  It's one of the core security services defined in the OSI Security Architecture reference model.  And it's illustrative of what Erasmus and Franklin (not to mention many doctors, nutritionists, and personal trainers) had to say about preventions versus cures.  An attacker can't exploit what he can't access.

Let's pretend you're a jewel thief who wants to steal a bag of jewels locked securely in a bedroom wall safe.  Before you can get down to the art and science of safecracking, you need to get access to the safe first.  The bedroom and the wall safe are protected areas that any passing jewel thief shouldn't be able to just walk up to and start poking at.  Your path to the wall safe would likely have layered security controls -- a locked front door, motion sensors, lasers, CCTV cameras, dogs, bees, dogs with bees in their mouths and when they bark they shoot bees at you, etc. -- that may deter you or at least make your job more difficult.

Looking at CFAdmin

Think of the ColdFusion Administrator (CFAdmin) -- the web-based interface for configuring and managing your ColdFusion environment -- in the same way as that wall safe.  You want to protect and restrict access to CFAdmin as part of your security baseline.  CFAdmin components are accessible via /CFIDE/ URI paths and expose lots of functionality; most components require authentication (a local username/password, or LDAP as of ColdFusion 2023) to access, although some are accessible without authentication.  So proper access control is crucial.

Summercon 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Last Friday it was an absolute honor to talk about ColdFusion security at Summercon.  Summercon was the first security conference I attended and it remains my favorite after many years, as BlackHat has gotten enormous and other cons have run their course.  The slides from my talk Modern ColdFusion Exploitation and Attack Surface Reduction are below.  This talk is the result of several years of thinking about, examining, and researching the attack surface of ColdFusion from both offensive and defensive perspectives.  I'll also be giving the talk again at BSides Las Vegas next month -- with some updated slides, content, and surprises.

Bypassing Imperva SecureSphere WAF (CVE-2023-50969)

Background 

Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications.  Some versions of SecureSphere WAF are affected by a vulnerability that could allow an attacker to bypass WAF rules that inspect POST data and subsequently exploit flaws in protected web applications that would otherwise be blocked.

Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)

Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT:  https://jeva.cc/2973.html

It's a great finding with an interesting two-step exploit process that combines obtaining a server UUID value from a CFAdmin API endpoint and then using that UUID to access a PMSGenericServlet module (part of the Performance Monitoring Toolset) that can be abused to read local files.

If You're Running an Intranet Connections Lucee Instance, Ensure That You've Change the Default Lucee Admin Password

Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions.  It's worth a read to understand what an attacker could do after compromising a Lucee Admin interface to execute arbitrary code and maintain persistence.  Admin interfaces gonna admin -- especially in the case of unauthorized admin access -- and monitoring for any changes in extensions, scheduled jobs, and other sensitive configuration settings is an important detection strategy.   This is also a good reminder why you want very strict access control for Lucee Admin, or may want to consider disabling it altogether.