CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED]

最后更新于2023年12月15日(星期五)18:30:08 GMT

2023年7月11日，Rapid7和Adobe disclosed CVE-2023-29298, an access control bypass vulnerability affecting ColdFusion, Rapid7在2023年4月向Adobe报告的数据. The vulnerability allows an attacker to bypass the product feature that restricts external access to the ColdFusion Administrator. Rapid7 and Adobe believed that CVE-2023-29298 was fixed upon publishing our 协调披露 (Rapid7 explicitly noted in our disclosure that we had not tested the patch Adobe released).

Upon review of the patch for CVE-2023-29298 as found in ColdFusion 2021 Update 8 (2021.0.08.330144), Rapid7 discovered that the patch released on July 11 does not successfully remediate the original issue and can be bypassed by an attacker. Adobe 指定的cve - 2023 - 38205 to the patch bypass and has issued a complete fix as of July 19, 2023.

Rapid7 has observed exploitation of CVE-2023-29298 in the wild in multiple customer environments. Our team published a blog with observations and guidance for customers on July 17. 我们已经验证了 7月19日发布新补丁 完全修复这个问题.

Affected products

以下产品容易受到攻击 CVE-2023-38205:

• Adobe ColdFusion 2023 Update 2及更早版本
• Adobe ColdFusion 2021 Update 8及更早版本
• Adobe ColdFusion 2018 Update 18及更早版本

Credit

这个问题是由Stephen less发现的, Rapid7的首席安全研究员, 并按照规定予以披露 Rapid7的漏洞披露策略.

Vendor Statement

Adobe向Rapid7提供了以下声明:
"Adobe recommends updating ColdFusion installations to the latest release. Please see APSB23-47 了解更多信息. Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion."

Analysis

The July 11 patch for CVE-2023-29298 modifies the vulnerable method IPFilterUtils.checkAdminAccess 使用新的助手方法 Utils.canonicalizeURI to transform a URL into its canonical form before performing the access control, as shown below.

  private static final String[] RESTRICTED_INTERNAL_PATHS = new String[] { "/restplay", "/cfide/restplay", “cfide /管理员”, "/cfide/adminapi", "/cfide/main", “/ cfide / componentutils”, "/cfide/wizards", “/ cfide / servermanager”, “cfide /锁定”};


  public static void checkAdminAccess(HttpServletRequest req) {
    String uri = Utils.getServletPath(要求的);
    uri = Utils.canonicalizeURI(uri.toLowerCase()); // <----
    for (String restrictedPath : RESTRICTED_INTERNAL_PATHS) {
      if (uri.startsWith (restrictedPath)) {
        String ip = req.getRemoteAddr();
        if (!isAllowedIP(ip))
          抛出新的AdminAccessdeniedException.getSecurityService ().getAllowedAdminIPList()、ip);
        break;
      }
    }
  }


The method Utils.canonicalizeURI attempts to remove sequences of characters such as duplicate forward slashes, double dot notation and redundant dot path segments in a URLs path, as shown below.

  公共静态字符串canonicalizeURI(字符串uri) {
    If (uri == null || uri.length() == 0)
      return uri;
    uri = uri.replace('\\', '/');
    uri = trimduplicateslash (uri);
    uri = collapseDotDots(uri); // <----
    uri = trimTrailingDotsSpacesNull(uri);
    if (uri.charAt(0) == '.')
      uri = uri.substring(1);
    Uri = substitute(Uri， "/ ")./", "/");
    if (uri.endsWith("/."))
      uri = uri.substring(0, uri.length() - 2);
    if (uri.length() == 0)
      uri = "/";
    return uri;
  }

值得注意的是Utils方法.collapseDotDots, which will remove all path segments that contain a double dot along with the preceding path segment. 例如，如果URL路径包含字符串“/hello/”../world/”则方法Utils.collapseDotDots would correctly transform this string into “/world/” by deleting the character sequence “/hello/..，通过调用StringBuffer.删除如下所示.

  public static String collapseDotDots(String str) {
    if (str.indexOf("/..") == -1)
      return str;
    StringBuffer sb = new StringBuffer(str);
    int i;
    while ((i = str.indexOf("/..")) != -1) {
      int分段start = str.lastIndexOf('/'， i - 1);
      sb.delete(segmentStart, i + 3); // <----
      str = sb.toString();
    }
    if (str.length() == 0)
      str = "/";
    return str;
  }  

The method Utils.canonicalizeURI attempts to remove sequences of characters such as duplicate forward slashes, double dot notation and redundant dot path segments in a URLs path, as shown below.

  公共静态字符串canonicalizeURI(字符串uri) {
    If (uri == null || uri.length() == 0)
      return uri;
    uri = uri.replace('\\', '/');
    uri = trimduplicateslash (uri);
    uri = collapseDotDots(uri); // <----
    uri = trimTrailingDotsSpacesNull(uri);
    if (uri.charAt(0) == '.')
      uri = uri.substring(1);
    Uri = substitute(Uri， "/ ")./", "/");
    if (uri.endsWith("/."))
      uri = uri.substring(0, uri.length() - 2);
    if (uri.length() == 0)
      uri = "/";
    return uri;
  }

值得注意的是方法Utils.collapseDotDots`, which will remove all path segments that contain a double dot along with the preceding path segment. 例如，如果URL路径有字符串' " /hello/../world/ " '然后方法' Utils.collapseDotDots` would correctly transform this string into `“/world/”` by deleting the character sequence `“/hello/..' '通过调用' StringBuffer.删除'，如下所示.

  public static String collapseDotDots(String str) {
    if (str.indexOf("/..") == -1)
      return str;
    StringBuffer sb = new StringBuffer(str);
    int i;
    while ((i = str.indexOf("/..")) != -1) {
      int分段start = str.lastIndexOf('/'， i - 1);
      sb.delete(segmentStart, i + 3); // <----
      str = sb.toString();
    }
    if (str.length() == 0)
      str = "/";
    return str;
  }  

而以上是正确的, it exposes an issue in how ColdFusion handles ColdFusion Modules (CFM) and ColdFusion Component (CFC) endpoints when resolving a path to the endpoint. 如果攻击者访问的URL路径为 “/hax/..CFIDE /术士/共同/跑龙套.cfc” the access control can be bypassed and the expected endpoint can still be reached, 即使它不是一个有效的URL路径 (Note, there is no expected forward slash after the double dot and before CFIDE).

处理此路径后，方法 Utils.collapseDotDots 将转型之路引向 “cfide /向导/共同/跑龙套.cfc” by removing the double dot path segment and the preceding segment “/hax/..”. The path “cfide /向导/共同/跑龙套.cfc” will not be matched against any of the restricted paths in RESTRICTED_INTERNAL_PATHS during IPFilterUtils.checkAdminAccess because it no longer begins with a leading forward slash. 这绕过了访问控制. However, the underlying Servlet will still process the path “/hax/..CFIDE /术士/共同/跑龙套.cfc”，允许调用预期的CFC端点. CFM端点也是如此.

Exploitation

The following was tested on Adobe ColdFusion 2021 Update 8 (2021.0.08.330144) running on Windows Server 2022 and configured with the Production and Secure profiles.

We can demonstrate the patch bypass by using the cURL command. For example when attempting to perform a remote method call wizardHash on the / CFIDE向导/共同/跑龙套.cfc endpoint, the following cURL command can be used — note the use of double dot notation as highlighted below:

注:与符号(&) has been escaped with a caret (^) as this example is run from Windows, on Linux you must escape the ampersand with a forward slash (\).

c:\> curl -ivk --path-as-is http://172.25.25.0:8500/hax/..CFIDE /术士/共同/跑龙套.cfc?method=wizardHash^&inPassword=foo

We can see that both the access control and the patch for CVE-2023-29298 have been bypassed and the request completed successfully.

Remediation

Adobe released a fix for this vulnerability on July 19, 2023. 下面的版本修复了这个问题 Adobe’s advisory:

• Adobe ColdFusion 2023更新
• Adobe ColdFusion 2021更新
• Adobe ColdFusion 2018更新19

自从Rapid7观察到在野外的开发, we strongly recommend ColdFusion customers update to the latest versions as soon as possible, 无需等待典型的补丁周期发生.

Timeline

• 4月11日至7月10日, 2023年:Rapid7向Adobe披露CVE-2023-29298, Rapid7和Adobe协调披露
• 2023年7月11日:Rapid7和Adobe disclose CVE-2023-29298 publicly
• July 13 - 15, 2023: Rapid7 detects exploitation of Adobe ColdFusion in the wild, determines attackers are leveraging an exploit chain that ends in remote code execution
• 2023年7月17日:Rapid7警告客户 ColdFusion剥削 in the wild. Rapid7 discovers the patch for CVE-2023-29298 can be bypassed and informs Adobe. Adobe notifies Rapid7 of their intent to fix the patch bypass.
• July 18, 2023: Further coordinationJuly 19, 2023: This disclosure.