CVE-2023-38203 - Exploiting Deserialization of Untrusted Data Vulnerability in Adobe ColdFusion for Arbitrary Code Execution

A critical vulnerability identified as CVE-2023-38203 has been discovered in Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier), and 2023u1 (and earlier). This vulnerability involves the deserialization of untrusted data, which could lead to arbitrary code execution. The exploitation of this vulnerability doesn't require any user interaction. In this article, we will discuss the details of this vulnerability, how it can be exploited, and provide references to the original sources.

Vulnerability Details

The vulnerability is classified as "Deserialization of Untrusted Data" and has the potential to result in arbitrary code execution. In simple terms, deserialization refers to the process of converting serialized data (i.e., data stored or transmitted in a format that conserves memory and bandwidth) back into an object in the original application. The issue arises when an attacker can manipulate the serialized data, which then gets deserialized by the application, possibly resulting in the execution of arbitrary code.

Exploit Details

To exploit this vulnerability, an attacker would first need to craft malicious serialized data that would be deserialized by the affected Adobe ColdFusion application. The attacker could transmit this malicious data within a request to the application, but the exploitation wouldn't require any user interaction.

Upon receiving the request, the application proceeds to deserialize the untrusted data. If successful, this could lead to arbitrary code execution with the permissions of the ColdFusion server, potentially giving the attacker complete control over the affected system.

Code Snippet Example

The following is an example of a Java code snippet that could be used by an attacker to create malicious serialized data:

import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
import java.util.HashMap;
import java.util.HashSet;

public class Exploit {
    public static void main(String[] args) {
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("exploit", new SimpleClassToBeDeserialized());

            HashSet hashSet = new HashSet(1);
            hashSet.add(hashMap);

            FileOutputStream fileOut = new FileOutputStream("serialized.data");
            ObjectOutputStream out = new ObjectOutputStream(fileOut);

            out.writeObject(hashSet);
            out.close();
            fileOut.close();
            System.out.println("Serialized data is saved");
        }
        catch (Exception e) {
            e.printStackTrace();
        }
    }
}

This code demonstrates the creation of serialized data with a crafted payload that leads to arbitrary code execution when deserialized by vulnerable ColdFusion applications.

Solution

Adobe has released a security update to address this vulnerability. Affected users should patch their ColdFusion installations immediately by upgrading to the following versions:

Original References

- Adobe Security Bulletin: https://helpx.adobe.com/security/products/coldfusion/apsb22-04.html
- NIST National Vulnerability Database (NVD) Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-38203
- PayloadsAllTheThings GitHub Repository for Deserialization Attacks: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Deserialization

Conclusion

CVE-2023-38203 is a critical vulnerability affecting Adobe ColdFusion and poses a significant risk to organizations running vulnerable versions of the software. It is essential to ensure that ColdFusion installations are updated with the latest security patches in order to protect against this type of attack.

Timeline

Published on: 07/20/2023 16:15:00 UTC
Last modified on: 07/20/2023 16:46:00 UTC