Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
Vendor: Adobe
Vendor URL: https://www.adobe.com/uk/products/coldfusion-family.html
Systems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and below
Author: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.com
Advisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html
CVE Identifier: CVE-2017-11284
Risk: Critical (unauthenticated remote code/command execution)
Summary
Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using Java Remote Method Invocation (RMI). The affected versions of ColdFusion are bundled with an outdated version of the Java runtime environment which does not properly validate RMI registry bind requests leading to a Java deserialisation vulnerability.
Location
This issue affects the Flex integration component of Adobe ColdFusion and the outdated Java runtime environment that is bundled with the affected versions of ColdFusion. These components are exposed through a Java RMI network service that listens on TCP port 1099 by default.
Impact
Full system compromise. An unauthenticated attacker can exploit this vulnerability to reliably execute arbitrary code or operating system commands. The payload is executed under the context of the local SYSTEM account by default.
Details
When Flex integration is enabled through the ColdFusion Administrator application, a Java RMI registry service is started which listens on TCP port 1099. The bundled Java runtime environment does not validate the type of objects submitted in a registry bind request, nor does it validate the source of the incoming bind request before deserialising the supplied object.
The affected versions of Adobe ColdFusion were bundled with the Mozilla Rhino JavaScript library. This library includes classes that can be configured and serialised in such a way that Java code will be executed during deserialisation. A specially crafted object can be created using these classes which can then be serialised and dispatched to the server in an illegal registry bind request, resulting in unauthenticated arbitrary code execution.
By default, the Adobe ColdFusion server service runs under the context of the local SYSTEM account. As a result, successful exploitation of this vulnerability gives an attacker complete control over the underlying server.
Recommendation
The Java runtime environment that is bundled with Adobe ColdFusion needs to be updated manually in order to protect against this vulnerability. Further information can be found at the following URLs:
- https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html
- https://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-5.html
- https://helpx.adobe.com/coldfusion/kb/coldfusion-11-update-13.html
Under a default installation of ColdFusion 2016 the bundled Java runtime environment can be found at the following path: C:ColdFusion2016jre
Note that under a default installation it is not sufficient to update the system Java runtime environment because ColdFusion uses its own bundled Java runtime environment.
Vendor Communication
Discovered: 29th June 2017
Reported: 29th June 2017
Fixed: 12th September 2017
About NCC Group
NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.
Written by: Nick Bloor (@NickstaDB)