After seeing the recent CVE-2024-20767 relating to Improper Access Control in Adobe ColdFusion, I wanted to better understand how it worked. From my experiences on Synack, ColdFusion is still pretty out there in the wild and often quite out of date.
I was unable to find too much information on the vulnerability itself, other than a very in-depth piece here, so I decided to pull apart an already existing exploit that can be found on GitHub as this gives me the quick information I need to understand what the attack looks like.
The attack is in two steps:
- Step 1: A GET request to
/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat
to retrieve theuuid
in the XML response. - Step 2: A GET request to
/pms?module=logging&file_name=../../../../../../../<path/to/file>&number_of_lines=100
where the headeruuid
is appended with the value found in step 1 andfile_path
with the location of the file we want to read. If you're eagle eyed, you'll have probably noticed the path traversal on thefile_name
parameter.
Below is a quick video to show how it all works against a test environment:
From the offensive side, the only real difficulty will be finding affected targets and bypassing the traversal required in file_name
, assuming any WAF in place. A nice easy few hundred dollars for bug bounty hunters!
From the defensive side this should be easy to detect. Requests to cfide
, servermanager.cfc
& pms
will be easy to see, as will the required parameters and the traversal. It's also very likely an attacker will aim for common files on the filesystem which can also be detected easily.
Prevention is better than detection, and by following best practices and ensuring cfide
and pms
are not accessible from unintended locations like the Internet, this should help to prevent the issue.