Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
Vendor URL: https://www.adobe.com/uk/products/coldfusion-family.html
Systems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and below
Author: Nick Bloor (@NickstaDB) / firstname.lastname@example.org
Advisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html
CVE Identifier: CVE-2017-11283
Risk: Critical (unauthenticated remote code/command execution)
Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using Java Remote Method Invocation (RMI). If Flex integration is enabled then arbitrary Java objects can be sent to this RMI service without authentication. ColdFusion does not validate the type of these objects before deserialising them. Using libraries present on the CLASSPATH it is possible to trigger arbitrary code or command execution, with SYSTEM privileges by default.
This issue affects the Flex integration component of Adobe ColdFusion, which exposes a Java RMI network service that listens on TCP port 1099 by default.
Full system compromise. An unauthenticated attacker can exploit this vulnerability to reliably execute arbitrary code or operating system commands. The payload is executed under the context of the local SYSTEM account by default.
When Flex integration is enabled through the ColdFusion Administrator application, a Java RMI registry service is started which listens on TCP port 1099. An object is bound to this registry service under the name 'cfassembler/default'. This object implements the following interface:
This interface defines five methods as follows:
List fill(String s, Object o, Map m)
List sync(String s, List l, Map m)
Object get(String s, Map m1, Map m2)
Integer count(String s, Object o, Map m)
boolean fillContains(String s, Object o1, Object o2, Boolean b, Map m)
Each of these methods can be used to supply arbitrary Java objects to the server via parameters of types Object, Object, List, and Map. When methods are invoked via RMI, the client serialises the method parameters in order to transmit them over the network. The server then deserialises the parameters before passing them to the target method. This means that each of these five methods presents an entry point for a Java deserialisation attack.
By default, the Adobe ColdFusion server service runs under the context of the local SYSTEM account. As a result, successful exploitation of this vulnerability gives an attacker complete control over the underlying server.
Adobe have released an update for ColdFusion which can be installed through the ColdFusion administrator application. Further information can be found at the following URLs:
The Java runtime environment that is bundled with Adobe ColdFusion also needs to be manually updated in order for the patch to be effective. Under a default installation of ColdFusion 2016 this can be found at the following path: C:\ColdFusion2016\jre
Important: Your server will still be vulnerable if you do not update the bundled Java runtime environment AND install the patch from Adobe. Updating the system Java runtime environment will not be sufficient under the default configuration.
Discovered: 29th June 2017
Reported: 29th June 2017
Fixed: 12th September 2017
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cybersecurity.
Written by: Nick Bloor (@NickstaDB)
Published date:  16 October 2017