About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion - 1065

zero day initiative (ZDI)Posted 3 Years Ago
  • Adobe ColdFusion is an IDE by Adobe Systems. It used to develop Colfusion Markup Language apps. The administrator has all server databases stored in a single location, which is where the bug exists at.
  • A user can configure data sources via an ODBC Socket. The ODBC agent listens on port 20009/tcp for the application. It uses the eneral Inter-ORB Protocol (GIOP) protocol to do this. The handles of these packets, which can be done remotely, is where the bug exists at.
  • A request message to the clients will invoke an operation on the server. While parsing opcodes 8 there is a heap based buffer overflow when the OpcodeDataSize is lager than 38. In opcode 7, the same issue occurs in a call to memmove on the same parameter for a size larger than 22 to the stack.
  • The article claims that the second bug (stack overflow), a remote unauthenticated attacker can exploit this to get code execution in the context of SYSTEM. Since we're in 2023 now, I would expect stack canaries, ASLR and other protections to be in place though. Overall, a really bad (and simple) bug on a remotely exposed service. Sometimes, it's about finding the new attack surface than finding crazy bugs.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed