Advisory ID: SYSS-2019-006 Product: Coldfusion/JNBridge Manufacturer: Adobe/JNBridge LLC Affected Version(s): Coldfusion 2016,2018, JNBridge all versions Tested Version(s): 2018 Vulnerability Type: Remote Code Execution Risk Level: High Solution Status: Fixed Manufacturer Notification: 2019-03-27 Solution Date: 2019-06-11 Public Disclosure: 2019-06-24 CVE Reference: CVE-2019-7839 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: JNBridge is a technology for integrating Java and .NET application code. The manufacturer describes the product as follows (see [1]): "Access Java classes from .NET as if Java were a .NET language (C#, VB, etc). Access .NET classes (written in C#, VB, F#, etc.) from Java as if they were Java classes. Access objects and libraries across the platform boundary." "Create objects, call methods, access fields, return objects." As stated, this technology, more or less by design, allows unrestricted access to a remote Java Runtime Environment, thereby allowing the execution of arbitrary code and system commands. Adobe Coldfusion is a web application development platform. Coldfusion servers running on Windows publicly expose an JNBridge network listener on TCP port 6093 or 6095. An attacker that is able to reach that service can execute arbitrary Java code or system commands. By default this services is running with highest privileges (SYSTEM). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Analysis of the JNBridge protocol reveals that it directly exposes basic operations like: * creating Java objects using arbitrary constructors * calling methods on these objects * getting/setting fields of these objects * calling static methods Combined, these primitives essentially expose all of the Java runtime environment's available code/methods. For example the sequence 1. objectStaticCall java.lang.Runtime:getRuntime -> handle to java.lang.Runtime instance 2. objectVirtualCall handle->exec("command") -> handle to Process can be used to invoke arbitrary system commands. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The necessary parts of the protocol to invoke the Runtime.exec() method like described above were implemented. That code remains unreleased at this time. The PoC also reads and shows the command output. Running it against a default installation of Coldfusion 2018 on Windows 10: $ ./jnbridge.py -p 6095 192.168.56.101 'whoami' nt authority\system ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Apply the latest ColdFusion security patches, see [5]. Do not expose JNBridge listeners to untrusted parties. In general, the JNBridge technology/protocol must not be used across privilege boundaries. It appears unlikely that this technology can be made reasonably secure, even with major changes to the protocol. Securing a JNBridge listener seems non-trivial, there does not seem to be built-in support for authentication and "JNBridgePro supports secure cross-platform communications using SSL (secure sockets library). SSL provides message encryption, server authentication, and message integrity. Currently, client authentication is not supported." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-03-18: Vulnerability discovered 2019-03-27: Vulnerability reported to manufacturer 2019-06-11: Patch released by manufacturer 2019-06-24: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for JNBridge https://jnbridge.com/ [2] Product website for Adobe Coldfusion https://www.adobe.com/products/coldfusion-family.html [3] SySS Security Advisory SYSS-2019-006 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-006.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ [5] Adobe Security Bulletin APSB19-27 https://helpx.adobe.com/security/products/coldfusion/apsb19-27.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@xxxxxxx Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature