------------------------------------------------------------------------------------- www.ExploitDevelopment.com 2010-WEB-002 (CERT VU#870532) (Security Focus BID 45985) ------------------------------------------------------------------------------------- TITLE: Lomtec ActiveWeb Professional 3.0 CMS Allows Arbitrary File Upload and Execution as SYSTEM in ColdFusion SUMMARY AND IMPACT: The ActiveWeb Professional 3.0 web content management server is vulnerable to remote operating system takeover. An unauthenticated remote user can upload malicious files and backdoor ColdFusion websites using the EasyEdit.cfm page. By accessing the "getImagefile" section of the EasyEdit module, the remote attacker can change hidden form fields to upload malicious applications and ColdFusion CFML websites that execute those malicious applications or operating system commands in the context of the ColdFusion service account (SYSTEM). The remote user can now perform all functions of the system administrator using uploaded CFML pages. The attacker can create a SYSTEM level shell connection back to the attacker's computer, add local administrator accounts, gather information about the victim company's network or set up a sniffer to capture passwords. Other pages on the ActiveWeb Professional CMS allow unauthenticated users to perform directory listings of the entire Microsoft Windows operating system. DETAILS: Use the following steps to exploit this vulnerability. Step 1: Access the ActiveWeb Get Image File Module. http://VICTIMIP/activeweb/EasyEdit.cfm?module=EasyEdit&page=getimagefile&Filter= Step 2: Using Mozilla FireFox with the Web Developer Toolbar, change the UploadDirectory hidden form field to C:\. Change the Accepted Extensions hidden form field to exe. Now you can upload the malicious application (Example would be Netcat.exe). Step 3: Using Mozilla FireFox with the Web Developer Toolbar, change the UploadDirectory hidden form field to c:\activeweb\activeweb\wwwroot\. Change the Accepted Extensions hidden form field to cfml. Upload your backdoor NetCat.cfml ColdFusion page that calls CFEXECUTE to run the malicious application. Step 4: Using Netcat.exe on the attacker's machine, listen for the VICTIM server's remote shell. Step 5: Using Mozilla FireFox, access the newly uploaded NetCat.cfml backdoor page via http://VICTIMIP/activeweb/NetCat.cfml. Step 6: You will now get a remote shell on your NetCat listener running as the ColdFusion service account (Default is SYSTEM on Microsoft Windows). VULNERABLE PRODUCTS: Lomtec ActiveWeb Professional 3.0 REFERENCES AND ADDITIONAL INFORMATION: N/A CREDITS: StenoPlasma (at) ExploitDevelopment.com TIMELINE: Discovery: December 16, 2008 Vendor Notified: May 6, 2010 (No response from vendor) Vendor Notified Attempt 2: May 10, 2010 (No response from vendor) Vendor Notified Attempt 3: May 19, 2010 (No response from vendor) Vendor Fixed: N/A Vendor Notified of Disclosure: N/A Disclosure to CERT: December 2, 2010 CERT Published: January 25, 2011 VENDOR URL: http://www.lomtec.com ADVISORY URL: http://www.exploitdevelopment.com/Vulnerabilities/2010-WEB-002.html http://www.kb.cert.org/vuls/id/528212 http://www.securityfocus.com/bid/45985/info VENDOR ADVISORY URL: N/A ----------------------------------------------------- StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com -----------------------------------------------------