Full Report
Adobe ColdFusion is an IDE by Adobe Systems. It used to develop Colfusion Markup Language apps. The administrator has all server databases stored in a single location, which is where the bug exists at. A user can configure data sources via an ODBC Socket. The ODBC agent listens on port 20009/tcp for the application. It uses the eneral Inter-ORB Protocol (GIOP) protocol to do this. The handles of these packets, which can be done remotely, is where the bug exists at. A request message to the clients will invoke an operation on the server. While parsing opcodes 8 there is a heap based buffer overflow when the OpcodeDataSize is lager than 38. In opcode 7, the same issue occurs in a call to memmove on the same parameter for a size larger than 22 to the stack. The article claims that the second bug (stack overflow), a remote unauthenticated attacker can exploit this to get code execution in the context of SYSTEM. Since we're in 2023 now, I would expect stack canaries, ASLR and other protections to be in place though. Overall, a really bad (and simple) bug on a remotely exposed service. Sometimes, it's about finding the new attack surface than finding crazy bugs.
Analysis Summary
# Vulnerability: Adobe ColdFusion ODBC Agent Unauthenticated Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2022-35690
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-120 (Buffer Copy without Checking Size of Input), CWE-121 (Stack-based Buffer Overflow), CWE-122 (Heap-based Buffer Overflow)
## Affected Systems
- **Products:** Adobe ColdFusion
- **Versions:**
- ColdFusion 2021 Update 4 and earlier versions
- ColdFusion 2018 Update 14 and earlier versions
- **Configurations:** Systems where the ODBC Socket driver is enabled and the ODBC agent (swagent.exe) is listening.
## Vulnerability Description
The vulnerability exists within the ColdFusion ODBC agent, which listens on port **20009/tcp** and utilizes the **General Inter-ORB Protocol (GIOP)**. The flaw is caused by insufficient validation of user-supplied data when parsing GIOP Request messages.
Specifically, the `swagent.exe` service fails to bounds-check the `OpcodeDataSize` field during opcode processing:
- **Opcode 8:** Triggers a **heap-based buffer overflow** if the `OpcodeDataSize` is larger than 38.
- **Opcode 7:** Triggers a **stack-based buffer overflow** via a `memmove` call if the data size is larger than 22.
## Exploitation
- **Status:** PoC details have been documented; originally discovered by researcher "rgod" and published via ZDI.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **Authentication:** Not required (Unauthenticated)
## Impact
- **Confidentiality:** High (Full access to system data)
- **Integrity:** High (Arbitrary code execution with SYSTEM privileges)
- **Availability:** High (Can lead to service crash or full system takeover)
## Remediation
### Patches
- **ColdFusion 2021:** Update 5 or later.
- **ColdFusion 2018:** Update 15 or later.
- **Note:** Adobe specifies that the **ColdFusion JDK/JRE must also be updated** to the latest LTS release (JDK 11). Applying the ColdFusion patch without the JDK update is insufficient to secure the server.
### Workarounds
- Disable the ODBC Socket driver if it is not required for business operations.
- Block external access to port **20009/tcp** at the network firewall level.
- Follow the official Adobe ColdFusion Lockdown Guides (2018/2021) to minimize the attack surface.
## Detection
- **Indicators of Compromise:** Unexpected crashes of `swagent.exe` or unusual inbound traffic on port 20009/tcp.
- **Detection Methods:** Monitor for GIOP protocol traffic containing abnormally large data segments in opcode 7 or 8 fields.
## References
- **Vendor Advisory:** hxxps[://]helpx[.]adobe[.]com/security/products/coldfusion/apsb22-44[.]html
- **ZDI Analysis:** hxxps[://]www[.]zerodayinitiative[.]com/blog/2023/1/19/cve-2022-35690-unauthenticated-rce-in-adobe-coldfusion
- **Lockdown Guide:** hxxps[://]helpx[.]adobe[.]com/coldfusion/using/server-lockdown[.]html