One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 510629 |
| Date de publication | 2018-03-13 15:41:13 (vue: 2018-03-13 15:41:13) |
| Titre | Exploiting Adobe ColdFusion before CVE-2017-3066 |
| Texte | In a recent penetration test my teammate Thomas came across several servers running Adobe ColdFusion 11 and 12. Some of them were vulnerable to CVE-2017-3066 but no outgoing TCP connections were possible to exploit the vulnerability. He asked me whether I had an idea how he could still get a SYSTEM shell and the outcome of the short research effort is documented here.Introduction Adobe ColdFusion & AMFBefore we go into technical details, I will give you a short intro to Adobe ColdFusion (CF). Adobe ColdFusion is an Application Development Platform like ASP.net, however several years older. Adobe ColdFusion allows a developer to build websites, SOAP and REST web services and interact with Adobe Flash using the Action Message Format (AMF).The AMF protocol is a custom binary serialization protocol. It has two formats, AMF0 and AMF3. An Action Message consists of headers and bodies. Several data types are supported in AMF0 and AMF3. For example the AMF3 format supports the following protocol elements with their type identifier:Details about the binary message formats of AMF0 and AMF3 can be found on Wikipedia (see https://en.wikipedia.org/wiki/Action_Message_Format).There are several implementations for AMF in different languages. For Java we have Adobe BlazeDS (now Apache BlazeDS), which is also used in Adobe ColdFusion.The BlazeDS AMF serializer can serialize complex object graphs. The serializer starts with the root object and serializes its members recursively.Two general serialization techniques are supported by BlazeDS to serialize complex objects:Serialization of Bean Properties (AMF0 and AMF3)Serialization using Java's java.io.Externalizable interface. (AMF3)Serialization of Bean PropertiesThis technique requires the object to be serialized to have a public no-arg constructor and for every member public Getter-and Setter-Methods (JavaBeans convention).In order to collect all member values of an object, the AMF serializer invokes all Getter-methods during serialization. The member names and values are put in the Action message body with the class name of the object.During deserialization, the classname is taken from the Action Message, a new object is constructed and for every member name the corresponding setmethod is called with the value as argument. This all happens either in method readScriptObject() of class flex.messaging.io.amf.Amf3Input or readObjectValue() of class flex.messaging.io.amf.Amf0Input.Serialization using Java's java.io.Externalizable interfaceBlazeDS further supports serialization of complex objects of classes implementing the java.io.Externalizable interface which inherits from java.io.Serializable. Every class implementing this interface needs to provide its own logic to deserialize itself by calling methods on the java.io.ObjectInput-implementation to read serialized primitive types and Strings (e.g. method read(byte[] paramArrayOfByte)).During deserialization of an object (type 0xa) in AMF3, the method readScriptObject()of class flex.messaging.io.amf.Amf3Input gets called. In line #759 the method readExternalizable is invoked which calls the readExternal() method on the object to be deserialized.This should be sufficient to serve as an introduction to Adobe ColdFusion and AMF.Previous workChris Gates (@Carnal0wnage) published the paper Cold |
| Envoyé | Oui |
| Condensat | #297 #341 #342 />externalizable 2017 3066 adobe advanced against all allows also amf amf3input analysis apache are axis2 bad based before but call can challenging chris class coldfusion coldfusionpwn coldfusionpwnto command context course created cve deep deserialization dive dynamic easier exploit exploitation exploiters exploiting exploitthe extends externalize finally find following found frohoff from fun function functionality gadget gadgets generate generation gets graph have how image incorporates inobject input install instance interested java just life line looking make message metadataentrywith might more need new objectinputstream objectinputstreamwithcl objects org our github perspective proper readexternal readobject request reuse right safeobjectinputstream safeobjectinputstreaminstance second serialized serverside shows simple since sorts standard starts static sure takeawaysdeserializing task that tool trigger untrusted upcoming util vulnerabilities want way: what which works wrapped your ysoserial |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.