Unauthenticated RCE in Adobe Coldfusion [CVE-2023-26360]

We discussed this vulnerability during Episode 235 on 14 January 2024

A somewhat odd vulnerability in Adobe Coldfusion, where it would take an attacker controllable classname parameter and use it to compile Coldfusion code on the fly to render in the response. If the classname didn’t match a valid Coldfusion Class, it would treat the it as a path to a Coldfusion template. So by setting classname=../../../etc/passwd for example, they could get /etc/passwd’s contents echo’d in the response. This also didn’t require any pre-authentication to exploit.

A clever way they were able to take this to Remote Code Execution (RCE) was by sending a request to the CFIDE/AIR/Conflict endpoint’s test method, which would log the _variables parameter passed. By setting _variables to a Coldfusion execute tag (ie. _variables=<cfexecute name=’/usr/bin/gnome-calculator’></cfexecute>) and sending a second request that set the classname to that log file path, they could get the cfexecute tag processed to get RCE.