Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Analysis CVE-2023-29300: Adobe ColdFusion Pre-Auth RCE
Harsh Jaiswal - Project DiscoveryPosted 2 Years Ago- The authors knew about a potential RCE in Adobe ColdFusion. So, they went to the Java code and started diffing from the previous version.
- While doing this, they found the function
validateWddxFilter()had been added. This did verification on thetypeattribute of the object to ensure it starts withcoldfusion. - The sink is a call to
getClassbySignature()that gets an instance of an arbitrary class. Then, it calls a function that must start withset. Being able to call arbitrary calls with a semi-restricted function is a good primitive to start from! - Their test payload was
java.util.Date.setDate(). After verifying that this worked in a debugger, they were set to look for more primitives. With the classcom.sun.rowset.JdbcRowSetImpl,setDataSourceName()sets a JNDI lookup name. Then, by callingsetAutoCommit(), we can create a JNDI injection vulnerability, like with log4shell. - To get code execution, the authors used a ysoserial java serialization payload with
commons-beanutilsto get code execution. Pretty neat bug and unique primitive.
