Shulou(Shulou.com)05/31 Report--

How to carry out Adobe ColdFusion deserialization RCE vulnerability analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

I. description of vulnerabilities

On February 12, 2019, Adobe officially released a security update for Adobe ColdFusion, numbered APSB19-10. The patch contains a Critical (critical) deserialization vulnerability discovered by Star ADLab and immediately submitted to the authorities, which can be exploited by attackers to remotely execute arbitrary code.

The vulnerability number is CVE-2019-7091, as shown in the following figure:

This vulnerability is a vulnerability in the FlashGateway service in AdobeColdFusion. There is a deserialization vulnerability in AdobeColdFusion's FlashGateway service, where an unauthenticated attacker sends specially crafted malicious data to the target AdobeColdFusion's FlashGateway service, which can be deserialized and can execute arbitrary code remotely.

Second, the vulnerability timeline

September 21, 2018: submit details of the vulnerability to the official

December 05, 2018: confirm the existence of the vulnerability and start fixing

February 12, 2019: the official patch is released.

Third, loophole analysis

Adobe ColdFusion's FlashGateway service allows flash to connect to CFML and CFC templates. When an attacker delivers carefully constructed ActionMessage information to the FlashGateway service POST through the HTTP protocol, the FlashGateway service in turn performs invoke () operations through various types of filter. In flashgateway.filter.SerializationFilter 's invoke method, we instantiate the MessageDeserializer type deserialization tool deserializer and deserialize the carefully constructed ActionMessage messages through the deserializer.readMessage (m) method, while assigning targetURI and data equivalents in ActionMessage to MessageBody.

After the serialization process is completed, the content in the ActionContextcontext is the carefully constructed ActionMessage information in the input stream. In the invoke method of flashgateway.filter.AdapterFilter, the MessageBody information in ActionContext is read and assigned to serviceName, functionName, parameters, etc., the adapter of flashgateway.adapter.java.JavaBeanAdapter type is obtained by adapter=locateAdapter (context,serviceName, functionName, parameters, serviceType) method, and then the invokeFunction method of JavaBeanAdapter is executed. The key code is as follows:

Public ActionContext invoke (ActionContext context) throws Throwable {. / / read MessageBody information MessageBody requestMessageBody = context.getRequestMessageBody (); String serviceName = requestMessageBody.serviceName; String functionName = requestMessageBody.functionName; List parameters = requestMessageBody.parameters;. If (context.isDescribeRequest ()) {result = adapter.describeService (context, serviceName);} else {/ / adapter is JavaBeanAdapter, execute the invokeFunction method of flashgateway.adapter.java.JavaBeanAdapter result = adapter.invokeFunction (context, serviceName, functionName, parameters);}

In the invokeFunction method of JavaBeanAdapter, you see the key code: method.invoke (service,parameters.toArray ()).

Where the target execution method method is obtained by Method method = this.getMethod (parameters, serviceName, functionName, aClass)

The method execution object service is obtained by service = aClass.newInstance ()

The method execution parameter parameters.toArray () is obtained through MessageBody.

Thus, the parameters used in method.invoke (service,parameters.toArray ()) are controllable, meaning that arbitrary methods can be executed.

The whole process is shown in the following figure:

Fourth, the effect of vulnerability exploitation

Fifth, influence the version

ColdFusion 11 Update 15 and earlier

ColdFusion 2016 Update 7 and previous versions

ColdFusion 2018 Update 1 and earlier.

VI. Circumvention plan

1. Modify the configuration of the gateway-config.xml file to prohibit the use of JavaBeanAdapter.

2. Upgrade the latest patch APSB19-10: https://helpx.adobe.com/security/products/coldfusion/apsb19-10.html.

After reading the above, have you mastered how to analyze Adobe ColdFusion deserialization RCE vulnerabilities? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.