Hello Lucee! Let us hack Apple again? ($20,000 USD)

We discussed this vulnerability during Episode 245 on 26 February 2024

Three deserialization related issues, two stemming from core of Lucee, and one in Mura a CMS built on Lucee. Lucee is a ColdFusion Markup Language based scripting language the runs on the JVM (Java Virtual Machine) and is intended for the development of web applications. As such it has some niceties around building web-apps like support for routing and processing of incoming requests.

Which is where the first issue is, you can setup REST mappings to certain functions, if the mapping includes taking in some arguments then Lucee will attempt to parse the request body taking the user-provided Content-Type header into account. If Content-Type is application/java it will attempt to deserialize the user-provided content which naturally leads to a deserialize attack. While the Apple service being targeted was not vulnerable to this, the Lucee update server was.

The second issue is in support CFML expressions when loading data from cookies. As CFML can contain <cfscript> tags, this can be used for code execution. From within Lucee core there were three functions that would lead to this sessionInvalidate(), sessionRotate() and PageContext.scope() While these functions could be vulnerable sinks, the Lucee codebase doesn’t actually call them. However the Mura/Masa CMS which are built on Lucee and used by Apple does use them. The are behind configuration options not being used by Apple though.

The third issue, which finally was also something that the Apple instance was vulnerable to was found with Mura CMS code, they had discovered the VariableInterpreter.parse would ultimately fall into the same CFMLExpressionInterpreter seen in the prior issue, so an insecure call to that could lead to an insecure CFML interpreetation. Insecure call in this case means sending the limited argument as false. The challenge was that many of the user’s of this like isDefined("...") or Empty("...") would be called with static strings that a user couldn’t control. It turned out though that within the FEED API in Mura it would call isDefined with a variable #param.method# to be expanded before being passed into the CFMLExpressionInterpreter allowing attacker content to get passed through to the interpreter and code execution to be achieved.

The vulnerabilities here are ultimately just user input ending up in dangerous functions, but do give the original a read for some insight into how they did the code review to find the issues.