Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Lucee is a dynamic, Java based, tag and scripting language used for rapid web application development. It is a common backend to use to many applications. The CMS that Facebook was using on these sites, used Lucee.

While testing on Lucee locally, the author found a misconfiguration that allowed for the execution of arbitrary ColdFusion files. There was an authentication misconfiguration of Lucee for the CMS.

Using imgProcess.cfm (with the auth bypass described above), it was possible to upload a file to any location because of a directory traversal vulnerability. However, this is NOT as simple as it seems! The firewall blocks the string ../ by default.

Using the same authentication bypass as before, there is a bunch more functionality. One of these is the ability to copy a file using an absolute path.

Using the arbitrary file write and the arbitrary file copy (with absolute paths) in tandem with the auth bypass, this leads to remote code execution by writing a shell script!

The above vulnerability only existed in imgProcess.cfm, which was in older versions. So, another vulnerability had to be found in order to make this work.

ext.applications.upload.cfm had another arbitrary file upload, with the same auth bypass as before. This endpoint accepts .lex files, which are just zip files for lucee extensions.

Once the zip file has been uploaded, another odd feature of the program can be used. This feature is that the zip, file and other URIs can be referenced. With this, the zip file can be unzipped in the webroot of the application, causing a code execution again.

In order to get this to work, intruder had to be used! This is because a load balancer was being used, which directed traffic to different hosts.

Besides the actual finding, a few things caught my attention. First, the firewall actually made a large impact on the exploitation of this vulnerability. In the future, I may consider asking clients to implement this as a defense-in-depth measure.

The other important thing to note was that this was a 0-day in the CMS and lucee, not an issue with Apples product. Yet, Apple still played 50K bounty for this!? They do not own the product, but they still paid out. In the future, finding vulnerabilities in important software used by companies may get a payout, even if the software does not payout.