This blog was written by Scott White, Senior Principal Security Consultant, Web Application Team Lead – TrustedSec
A publicly undisclosed pre-auth local file disclosure path in older Adobe ColdFusion products (8.0, 8.0.1, 9.0, 9.0.1 and earlier versions) exists at /CFIDE/debug/cf_debugFr.cfm?userPage=../../etc/hosts
During a recent penetration test, a web site utilizing cfm pages was identified and when checking for the well-known administrative interface url of /CFIDE/administrator/ for access it was found to be restricted. Further investigation revealed that the ColdFusion Debugging Panel was accessible at /debug/cf_debugFr.cfm despite known /CFIDE/Administrator/ resources being restricted. A simple Google search revealed a “userPage” query string parameter that appeared to use a relative path to resources on sites that hosted them:
Publicly known paths and vulnerabilities (https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/coldfusion_scanner.rb) were not fruitful.
Despite the path being known and disclosing paths when debugging is enabled, efforts were made using common web application testing techniques to identify other potential vulnerabilities or avenues for attack. In our target environment, an outdated ColdFusion 9 instance was running on Linux. Although this version was old and likely tested by many others in the past, a path traversal that could disclose the contents of local files on the system was discovered.
A quick search online revealed no information about this vulnerability. Could this be a 0-day? ColdFusion 2016 was downloaded and tested but the issue appeared to have been patched. No other information was easily found without some deep digging; a report was submitted to Adobe’s bug bounty program (https://hackerone.com/adobe). When comparing HTML source of the vulnerable client page versus the ColdFusion 2016 test environment, the following differences were noted:
ColdFusion 2016: ../../etc/passwd
ColdFusion v9: %2E%2E%2F%2E%2E%2Fetc%2Fpasswd
Clearly an update was made to the code somewhere to patch the vulnerability. Examination of the ColdFusion 2016 source code confirms encoding was being performed:
Adobe responded to the bug bounty report and stated that the vulnerability was previously identified and covered under CVE-2010-2861 which was reviewed prior to submitting the issue. It appears that Adobe chose to patch the issue(s) without releasing full details. Adobe’s security bulletin is located at http://www.adobe.com/support/security/bulletins/apsb10-18.html and lists affected versions as being ColdFusion 8.0, 8.0.1, 9.0, 9.0.1 and earlier versions for Windows, Macintosh and UNIX. Information to address the bulletin can be found at https://helpx.adobe.com/coldfusion/kb/coldfusion-security-hot-fix-bulletin.html