Friday, October 14, 2016

[ADOBE] Importance of up-to-date application usage plus complex password OR from directory traversal to admin panel takeover.

Hi all, well, today I would like to start my blog, and hope I will be able to update it from time to time. Unfortunately, I am not quite eloquent, and my posts may seem a bit plain, but I'm going to improve this skill. Finally I found interesting topic to share with a public, at least from my perspective ☺ Hope this article will be motivating and of course useful ;)


HOW DID IT START
In scope of bugbounty hunting, I perform Web application penetration testing for many of companies. A couple month ago my eye fell at Adobe program, but I got quick response from my subconscious: ‘Come on… It’s such a famous company, hundreds of hunters have already tested them, no sense to spend time on it. Forget.’ A month later, leafing through the companies list my eye fell once again, but now I asked myself: ‘Why not?’

Probably would be correctly to start from my approach to pentesting... In my daily work / hunting I always using PTES methodology. In nutshell about PTES: The penetration testing execution standard consists of seven (7) main sections. These cover everything related to a penetration test - from the initial communication and reasoning behind a pentest, through the intelligence gathering and threat modeling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation, where the technical security expertise of the testers come to play and combine with the business understanding of the engagement, and finally to the reporting, which captures the entire process, in a manner that makes sense to the customer and provides the most value to it.

Why do I need it or why it’s useful? Imagine that you are shooting at a target from a distance of 50m, it will be hard to get - right? But if somebody  bring its closer up to 25m – I suppose to hit the target will be much easier. Same here, when you have multiple subdomains to test – much easier to find some interesting stuff.


FINDING
So, first thing that I did is reconnaissance of the target. For this purposes I used multiple DNS enumeration tools, here are couple of them: subbrute, theharvester, etc. Well, let’s move further. During ‘Information Gathering’ PTES phase I have found that ‘lighthouse.adobe.com:8500’ host on 8500 port was vulnerable to Directory listing



As you can see, the latest changes at this host were done at 04/04/11, seems Adobe forgot about this site at all.. So, there a chance to find running outdated services. After some time of investigation - I have found admin panel login page, and yes, application was running at ‘lighthouse.adobe.com:8500’ outdated (latest version of ColdFusion at the time of writing is 13):



First thing that came to my mind – check exploits online for ColdFusion 9. As turned out – there are plenty of them, ColdFusion 9 is vulnerable to the following security vulnerabilities: DoS, Information Disclosing, XSS, CSRF, Administrative login Bypass, Directory Traversal, etc. That is interesting… Sure thing that my first try was to find exploit for ‘Administrative login Bypass’, it was easy to find plus as turned out, metasploit already has embedded module for it: exploit/multi/http/coldfusion_rds. Unfortunately I was failed to exploit this particular metasploit module… Time to re-read description of exploit ☺
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Its password can by default or by misconfiguration be set to an empty value. This allows you to create a session via the RDS login that can be carried over to the admin web interface even though the passwords might be different. Therefore bypassing authentication on the admin web interface which then could lead to arbitrary code execution.
So, seems administrator disable RDS at ColdFusion and I’m not able to use this exploit. Ok, move further, application is still vulnerable to plenty of vulnerabilities.  There is one more stuff, Directory Traversal, how can I exploit it, and is there any exploits online? Yes, here is one more exploit: https://www.exploit-db.com/exploits/14641/. Run it against of our target, and, vuala – we got hash value of our password: 50A826CED903EFF995651D65C21B5A6F67D9616A



According to the size and length of the hash - seems password is encrypted via SHA-1. For decrypt purpose I will use https://hashkiller.co.uk/sha1-decrypter.aspx. Wow, password was successfully decrypted: slapstick.




POST-EXPLOITATION:
Being as an Ethical Hacker – here my work is over, I will not harm the server – I just notified Abode security team regarding this breach. It was the fastest ever report triggering (~1.5 min)



About fix, I can say nothing much, because Adobe just turned off the application runned at 8500 port.


CONCLUSION:
Two ridiculous things that I  found here:
- The Adobe, who are the owners of ColdFusion Application Server have runned out-of-dated version;
- Complexity of the password was suck, as for such a company.


RESULTS:
In 3 days of penetration testing against Adobe, I was able to find:
- Admin panel takeover;
- 4 Stored XSS;
- 6 Directory Listings;
- 1 sensitive world-accessible config file;
- E-Mail Content Spoofing;
- 4 other minor server misconfiguration.

I suppose there could be found more interesting things, but to my big disappointment – Adobe doesn’t have any monetary rewards.. But still that is great start for me, since now you can find my name on their acknowledgement web-page

Bounty
Swag
HoF

REFERENCES:
Unfortunately, I found this presentation after whole my research, but I guess it will be useful to leave it here: http://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf

Always believe in yourself and try yourself, even against such a huge and famous companies.

Good luck! :)

Thanks for your attention.