logo
 
  1. IT-Security >
  2. Hacking >
  3. CVE-2019-7839: ColdFusion Code Execution Through JNBridge


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

CVE-2019-7839: ColdFusion Code Execution Through JNBridge


Hacking vom | Direktlink: thezdi.com Nachrichten Bewertung

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Sivathmican Sivakumaran and John Simpson of the Trend Micro Research Team detail a recent code execution vulnerability in Adobe ColdFusion. The bug was originally discovered and reported by Moritz Bechler of SySS GmbH. The following is a portion of their write-up covering CVE-2019-7839, with a few minimal modifications.


A remote code execution vulnerability has been reported in Adobe ColdFusion. This vulnerability is due to the JNBridge binary protocol port being exposed without any authentication.

A remote unauthenticated attacker can exploit this vulnerability by sending a crafted JNBridge binary protocol message to an affected server. Successful exploitation results in remote code execution as the root or SYSTEM user.

The Vulnerability

Adobe ColdFusion is an application development platform by Adobe Systems. It is an IDE used to develop web applications and supports a full scripting language, ColdFusion Markup Language (CFML). Since ColdFusion MX 6.0, the server component runs within a Java Runtime Environment (JRE).

JNBridge is 3rd-party software that provides interoperability between Java and Microsoft .NET frameworks. Java and Microsoft .NET frameworks can communicate with each other via the JNBridge Binary Protocol, SOAP Protocol, or in-memory communication. ColdFusion 2016 and ColdFusion 2018 ship with JNBridge. This JNBridge server uses the JNBridge Binary Protocol and listens on TCP port 6093 or 6095 by default.

The JNBridge Binary Protocol is not publicly documented and the following was derived through reverse engineering jnbcore.jar. A JNBridge Binary Protocol message has the following format:

1.png

The Data field contains a class name, method name, method signature and method arguments data as length-value encoded UTF-16 strings. Upon receiving a JNBridge Binary Protocol message, the server will invoke the method specified by the Data section with the specified arguments.

The JNBridge Server is accessible on TCP port 6093 or 6095 without any access control. JNBridge by design allows instantiation of arbitrary classes and invocation of arbitrary methods. When the JNBridge server receives a JNBridge Binary Protocol message, BinaryRequestHandler.handleRequest() is called. handleRequest() extracts the class, method, method signature and method arguments data by calling deserializeCall(). This data is stored in a CallArgs object. The server then attempts to invoke the specified method by calling JNBDispatcher.call(). call() will select an appropriate internal method based on the requested method signature. For example, a call to a static method with a void return value results in a call to voidStaticCall(). voidStaticCall() will select the specified class and invoke the specified method by reflection using java.lang.reflect.Method.invoke().

Source Code Walkthrough

The following code snippet was taken from jnbcore.jar in ColdFusion 2018 update 3 which ships with JNBridgePro v7.3.1 (.NET 4.0/4.5/4.6-targeted). Comments added by Trend Micro have been highlighted.

From BinaryRequestHandler.class:

2combined.png

From JNBDispatcher.class:

3combined.png

The Exploit

Here’s a quick video showing the exploit in action:

The Patch

Adobe addressed this bug with APSB19-17, which was released in June 2019. The update disables remote access to connections made in the .NET-to-Java direction within JNBridge. To enable remote access, the client IP address must be whitelisted within neo-dotnet.xml.

Since JNBridge allows arbitrary code execution by design, it is impossible to distinguish normal traffic from attack traffic. As recommended by the vendor, the best remediation would be to block all JNBridge Binary Protocol messages to TCP port 6093 or 6095.

Special thanks to Sivathmican Sivakumaran and John Simpson of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the ZDI team for the latest in exploit techniques and security patches.

...

https://www.thezdi.com/blog/2019/7/25/cve-2019-7839-coldfusion-code-execution-through-jnbridge

Externe Webseite mit kompletten Inhalt öffnen

Kommentiere zu CVE-2019-7839: ColdFusion Code Execution Through JNBridge






➤ Ähnliche Beiträge

  • 1.

    USN-3415-1: tcpdump vulnerabilities

    vom 804.75 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3415-1 13th September, 2017 tcpdump vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixe
  • 2.

    USN-3415-2: tcpdump vulnerabilities

    vom 804.75 Punkte ic_school_black_18dp
    Ubuntu Security Notice USN-3415-2 13th September, 2017 tcpdump vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Several security issues were fixed in tcpdump Software description tcpdump
  • 3.

    The August 2019 Security Update Review

    vom 670.63 Punkte ic_school_black_18dp
    August is here and it brings with it the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.   Adobe Patches for August 2019 Adobe relea
  • 4.

    Malcolm - A Powerful, Easily Deployable Network Traffic Analysis Tool Suite For Full Packet Capture Artifacts (PCAP Files) And Zeek Logs

    vom 627.28 Punkte ic_school_black_18dp
    Malcolm is a powerful network traffic analysis tool suite designed with the following goals in mind: Easy to use – Malcolm accepts network traffic data in the form of full packet capture (PCAP) files and Zeek (formerly Bro) logs. These artifacts can be
  • 5.

    The June 2019 Security Update Review

    vom 595.78 Punkte ic_school_black_18dp
    June has arrived and so have the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for June 2019 This month, A
  • 6.

    The May 2019 Security Update Review

    vom 547.92 Punkte ic_school_black_18dp
    May is here and so are the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.   Adobe Patches for May 2019 This month, Ad
  • 7.

    The February 2019 Security Update Review

    vom 546.44 Punkte ic_school_black_18dp
    February is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2019
  • 8.

    The February 2019 Security Update Review

    vom 546.44 Punkte ic_school_black_18dp
    February is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2019
  • 9.

    The September 2019 Security Update Review

    vom 533.43 Punkte ic_school_black_18dp
    September is upon us and with it brings the latest security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.   Adobe Patches for September 2019 Adobe ha
  • 10.

    Diving Deep Into a Pwn2Own Winning WebKit Bug

    vom 531.26 Punkte ic_school_black_18dp
    Pwn2Own Tokyo just completed, and it got me thinking about a WebKit bug used by the team of Fluoroacetate (Amat Cama and Richard Zhu) at this year’s Pwn2Own in Vancouver. It was a part of the chain that earned them $55,000 and was a nifty piece of
  • 11.

    The July 2019 Security Update Review

    vom 517.41 Punkte ic_school_black_18dp
    July has arrived and so have the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for July 2019 Adobe release
  • 12.

    CVE-2019-7839: ColdFusion Code Execution Through JNBridge

    vom 512.29 Punkte ic_school_black_18dp
    In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Sivathmican Sivakumaran and John Simpson of the Trend Micro Research Team detail a recent code execution vulnerability in Adobe ColdFusion. The bug was originally