On ColdFusion Administrator Access Control Bypass Techniques

Introduction

Access Control is frequently boring but important.  It's one of the core security services defined in the OSI Security Architecture reference model.  And it's illustrative of what Erasmus and Franklin (not to mention many doctors, nutritionists, and personal trainers) had to say about preventions versus cures.  An attacker can't exploit what he can't access.

Let's pretend you're a jewel thief who wants to steal a bag of jewels locked securely in a bedroom wall safe.  Before you can get down to the art and science of safecracking, you need to get access to the safe first.  The bedroom and the wall safe are protected areas that any passing jewel thief shouldn't be able to just walk up to and start poking at.  Your path to the wall safe would likely have layered security controls -- a locked front door, motion sensors, lasers, CCTV cameras, dogs, bees, dogs with bees in their mouths and when they bark they shoot bees at you, etc. -- that may deter you or at least make your job more difficult.

Looking at CFAdmin

Think of the ColdFusion Administrator (CFAdmin) -- the web-based interface for configuring and managing your ColdFusion environment -- in the same way as that wall safe.  You want to protect and restrict access to CFAdmin as part of your security baseline.  CFAdmin components are accessible via /CFIDE/ URI paths and expose lots of functionality; most components require authentication (a local username/password, or LDAP as of ColdFusion 2023) to access, although some are accessible without authentication.  So proper access control is crucial.

Summercon 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Last Friday it was an absolute honor to talk about ColdFusion security at Summercon.  Summercon was the first security conference I attended and it remains my favorite after many years, as BlackHat has gotten enormous and other cons have run their course.  The slides from my talk Modern ColdFusion Exploitation and Attack Surface Reduction are below.  This talk is the result of several years of thinking about, examining, and researching the attack surface of ColdFusion from both offensive and defensive perspectives.  I'll also be giving the talk again at BSides Las Vegas next month -- with some updated slides, content, and surprises.

Bypassing Imperva SecureSphere WAF (CVE-2023-50969)

Background 

Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications.  Some versions of SecureSphere WAF are affected by a vulnerability that could allow an attacker to bypass WAF rules that inspect POST data and subsequently exploit flaws in protected web applications that would otherwise be blocked.

Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)

Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT:  https://jeva.cc/2973.html

It's a great finding with an interesting two-step exploit process that combines obtaining a server UUID value from a CFAdmin API endpoint and then using that UUID to access a PMSGenericServlet module (part of the Performance Monitoring Toolset) that can be abused to read local files.

If You're Running an Intranet Connections Lucee Instance, Ensure That You've Change the Default Lucee Admin Password

Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions.  It's worth a read to understand what an attacker could do after compromising a Lucee Admin interface to execute arbitrary code and maintain persistence.  Admin interfaces gonna admin -- especially in the case of unauthorized admin access -- and monitoring for any changes in extensions, scheduled jobs, and other sensitive configuration settings is an important detection strategy.   This is also a good reminder why you want very strict access control for Lucee Admin, or may want to consider disabling it altogether.

One Reason Why Your ColdFusion Server May Still Be Vulnerable Even With the Latest Security Updates Installed

Next Tuesday is Adobe Patch Tuesday.  Will there be new ColdFusion security updates?  I have no idea.  But even if there are no new patches released, and your ColdFusion servers already have the latest updates installed, you may still be missing an important step in keeping them secure.

What Does ColdFusion's verifyClient() Do?

I recently saw a ColdFusion question about verifyClient and remote CFC functions.  I already have strong opinions about why you don't want to use remote CFC functions, but I was unfamiliar with verifyClient.  That led me to take a look at how it works and I thought it was interesting enough to write about.  

Thinking Defensively About Three Recent Lucee Vulnerabilities

Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS).  Their blog post is a must-read, and I'm not going to rehash their steps from research to discovery to exploitation.  Instead, I'm going to look at these vulnerabilities through a defensive lens.