Full Report
The authors knew about a potential RCE in Adobe ColdFusion. So, they went to the Java code and started diffing from the previous version. While doing this, they found the function validateWddxFilter() had been added. This did verification on the type attribute of the object to ensure it starts with coldfusion. The sink is a call to getClassbySignature() that gets an instance of an arbitrary class. Then, it calls a function that must start with set. Being able to call arbitrary calls with a semi-restricted function is a good primitive to start from! Their test payload was java.util.Date.setDate(). After verifying that this worked in a debugger, they were set to look for more primitives. With the class com.sun.rowset.JdbcRowSetImpl, setDataSourceName() sets a JNDI lookup name. Then, by calling setAutoCommit(), we can create a JNDI injection vulnerability, like with log4shell. To get code execution, the authors used a ysoserial java serialization payload with commons-beanutils to get code execution. Pretty neat bug and unique primitive.
Analysis Summary
# Vulnerability: Deserialization Leading to RCE via WDDX Filter Bypass in Adobe ColdFusion
## CVE Details
- CVE ID: **CVE-2023-29300** (Primary RCE discussed from initial patch analysis), **CVE-2023-38204** (Related fix confirmed by authors), **CVE-2023-38205** (Mentioned as exploited in the wild, though details relate to the broader set of disclosed issues)
- CVSS Score: *Score not explicitly provided in the summary, but context implies Critical severity (Pre-Auth RCE).*
- CWE: CWE-502: Deserialization of Untrusted Data (Implied by WDDX parsing)
## Affected Systems
- Products: Adobe ColdFusion
- Versions: ColdFusion 2018, 2021, and 2023 installations (prior to specific updates). The exploit path described was refined against ColdFusion 2021 Update 8 environment.
- Configurations: Vulnerable when processing crafted WDDX packets that utilize the `struct` element. Remote Code Execution (RCE) is possible even when the instance is in lockdown mode by chaining with CVE-2023-29298 (if applicable).
## Vulnerability Description
The vulnerability exists within the WDDX deserialization functionality, specifically concerning the newly added `validateWddxFilter()` function intended to sanitize the `type` attribute of a WDDX `struct` element.
1. **Source/Filter:** The validation requires the `type` attribute (which corresponds to a fully qualified class name, FQCN) to start with `coldfusion.` or pass secondary checks.
2. **Sink:** If validation passes or logic is bypassed, the code proceeds to use Java Reflection via `getClassBySignature()` to load an arbitrary class.
3. **Primitive:** Once a class is loaded, subsequent calls are made to setters (`setBeanProperties()`), providing a method invocation primitive.
4. **Exploitation Chain:** Researchers demonstrated that they could leverage this to call methods like `java.util.Date.setDate()` initially. More critically, they chained this primitive to:
a. Instantiate `com.sun.rowset.JdbcRowSetImpl`.
b. Call `setDataSourceName()` to set a JNDI lookup name.
c. Call `setAutoCommit()` to trigger the JNDI injection (akin to Log4Shell).
d. Finally, by using a ysoserial payload leveraging `commons-beanutils`, they achieved Remote Code Execution (RCE).
## Exploitation
- Status: **PoC available** (Authors verified functionality via debugger and described the full chain). RCE was achieved in testing. CVE-2023-38205 (related) was noted as **Exploited in the wild** in limited attacks.
- Complexity: **Medium** (Requires understanding of WDDX parsing, Java reflection, JNDI injection, and deserialization gadget chaining, such as using ysoserial).
- Attack Vector: **Network** (Pre-authentication RCE via network request containing the crafted WDDX packet).
## Impact
- Confidentiality: **High** (RCE allows access to system data).
- Integrity: **High** (RCE allows arbitrary code execution and modification of system state).
- Availability: **High** (RCE allows denial of service or system compromise).
## Remediation
### Patches
- Adobe released security updates addressing these issues. Specifically, authors confirmed fixes for the analyzed path were included in the patch associated with **CVE-2023-38204**.
- **Action:** Update ColdFusion installations to the latest release as per **APSB23-47**.
### Workarounds
- No explicit workarounds were detailed in the provided text, as updating is the recommended action. Temporary mitigation likely involves restricting access to WDDX processing endpoints or implementing strict network segmentation until patching is complete.
## Detection
- **Indicators of Compromise:** Network traffic containing serialized WDDX payloads targeting ColdFusion endpoints. Post-exploitation artifacts related to JNDI lookups or execution of `ysoserial` gadgets within the application process.
- **Detection methods and tools:** Utilizing signatures for the specific WDDX payload structure or employing tools like Nuclei templates (provided by the researchers) to detect vulnerable instances. Monitoring for unusual outbound network connections indicative of JNDI LDAP/RMI lookups originating from ColdFusion processes.
## References
- Vendor Advisories: [APSB23-40](https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html), [APSB23-47](https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html)
- Relevant links: ProjectDiscovery Blog Post (defanged): hxxps://projectdiscovery.io/blog/adobe-coldfusion-rce