Technical Advisory: Adobe ColdFusion Object Deserialisation RCE

Vendor: Adobe
Vendor URL: https://www.adobe.com/uk/products/coldfusion-family.html
Systems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and below
Author: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.com
Advisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html
CVE Identifier: CVE-2017-11283
Risk: Critical (unauthenticated remote code/command execution)

Summary

Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using Java Remote Method Invocation (RMI). If Flex integration is enabled then arbitrary Java objects can be sent to this RMI service without authentication. ColdFusion does not validate the type of these objects before deserialising them. Using libraries present on the CLASSPATH it is possible to trigger arbitrary code or command execution, with SYSTEM privileges by default.

Location

This issue affects the Flex integration component of Adobe ColdFusion, which exposes a Java RMI network service that listens on TCP port 1099 by default.

Impact

Full system compromise. An unauthenticated attacker can exploit this vulnerability to reliably execute arbitrary code or operating system commands. The payload is executed under the context of the local SYSTEM account by default.

Details

When Flex integration is enabled through the ColdFusion Administrator application, a Java RMI registry service is started which listens on TCP port 1099. An object is bound to this registry service under the name ‘cfassembler/default’. This object implements the following interface:

  coldfusion.flex.rmi.DataServicesCFProxy

This interface defines five methods as follows:

  List fill(String s, Object[] o, Map m)
  List sync(String s, List l, Map m)
  Object get(String s, Map m1, Map m2)
  Integer count(String s, Object[] o, Map m)
  boolean fillContains(String s, Object[] o1, Object o2, Boolean b, Map m)

Each of these methods can be used to supply arbitrary Java objects to the server via parameters of types Object, Object[], List, and Map. When methods are invoked via RMI, the client serialises the method parameters in order to transmit them over the network. The server then deserialises the parameters before passing them to the target method. This means that each of these five methods presents an entry point for a Java deserialisation attack.

The affected versions of Adobe ColdFusion were bundled with the Mozilla Rhino JavaScript library. This library includes classes that can be configured and serialised in such a way that Java code will be executed during deserialisation.

By default, the Adobe ColdFusion server service runs under the context of the local SYSTEM account. As a result, successful exploitation of this vulnerability gives an attacker complete control over the underlying server.

Recommendation

Adobe have released an update for ColdFusion which can be installed through the ColdFusion administrator application. Further information can be found at the following URLs:

• https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html
• https://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-5.html
• https://helpx.adobe.com/coldfusion/kb/coldfusion-11-update-13.html

The Java runtime environment that is bundled with Adobe ColdFusion also needs to be manually updated in order for the patch to be effective. Under a default installation of ColdFusion 2016 this can be found at the following path: C:ColdFusion2016jre

Important: Your server will still be vulnerable if you do not update the bundled Java runtime environment AND install the patch from Adobe. Updating the system Java runtime environment will not be sufficient under the default configuration.

Vendor Communication

Discovered: 29th June 2017
Reported: 29th June 2017
Fixed: 12th September 2017

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

Written by: Nick Bloor (@NickstaDB)