-------------------------------------------------------------------------------------
www.ExploitDevelopment.com 2010-WEB-002
(CERT VU#870532) (Security Focus BID 45985)
-------------------------------------------------------------------------------------

TITLE:
Lomtec ActiveWeb Professional 3.0 CMS Allows Arbitrary File Upload and
Execution as SYSTEM in ColdFusion

SUMMARY AND IMPACT:
The ActiveWeb Professional 3.0 web content management server is
vulnerable to remote operating system takeover. An unauthenticated
remote user can upload malicious files and backdoor ColdFusion
websites using the EasyEdit.cfm page. By accessing the "getImagefile"
section of the EasyEdit module, the remote attacker can change hidden
form fields to upload malicious applications and ColdFusion CFML
websites that execute those malicious applications or operating system
commands in the context of the ColdFusion service account (SYSTEM).
The remote user can now perform all functions of the system
administrator using uploaded CFML pages. The attacker can create a
SYSTEM level shell connection back to the attacker's computer, add
local administrator accounts, gather information about the victim
company's network or set up a sniffer to capture passwords. Other
pages on the ActiveWeb Professional CMS allow unauthenticated users to
perform directory listings of the entire Microsoft Windows operating
system.

DETAILS:
Use the following steps to exploit this vulnerability.

Step 1: Access the ActiveWeb Get Image File Module.
http://VICTIMIP/activeweb/EasyEdit.cfm?module=EasyEdit&page=getimagefile&Filter=
Step 2: Using Mozilla FireFox with the Web Developer Toolbar, change
the UploadDirectory hidden form field to C:\. Change the Accepted
Extensions hidden form field to exe. Now you can upload the malicious
application (Example would be Netcat.exe).
Step 3: Using Mozilla FireFox with the Web Developer Toolbar, change
the UploadDirectory hidden form field to
c:\activeweb\activeweb\wwwroot\. Change the Accepted Extensions hidden
form field to cfml. Upload your backdoor NetCat.cfml ColdFusion page
that calls CFEXECUTE to run the malicious application.
Step 4: Using Netcat.exe on the attacker's machine, listen for the
VICTIM server's remote shell.
Step 5: Using Mozilla FireFox, access the newly uploaded NetCat.cfml
backdoor page via http://VICTIMIP/activeweb/NetCat.cfml.
Step 6: You will now get a remote shell on your NetCat listener
running as the ColdFusion service account (Default is SYSTEM on
Microsoft Windows).

VULNERABLE PRODUCTS:
Lomtec ActiveWeb Professional 3.0

REFERENCES AND ADDITIONAL INFORMATION:
N/A

CREDITS:
StenoPlasma (at) ExploitDevelopment.com

TIMELINE:
Discovery: December 16, 2008
Vendor Notified: May 6, 2010 (No response from vendor)
Vendor Notified Attempt 2: May 10, 2010 (No response from vendor)
Vendor Notified Attempt 3: May 19, 2010 (No response from vendor)
Vendor Fixed: N/A
Vendor Notified of Disclosure: N/A
Disclosure to CERT: December 2, 2010
CERT Published: January 25, 2011

VENDOR URL:
http://www.lomtec.com

ADVISORY URL:
http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-002.html
http://www.kb.cert.org/vuls/id/528212
http://www.securityfocus.com/bid/45985/info

VENDOR ADVISORY URL:
N/A

-----------------------------------------------------
StenoPlasma at ExploitDevelopment.com
www.ExploitDevelopment.com
-----------------------------------------------------