Re: brute force ColdFusion MX7 admin page

From: Anonymous (anon_email4me@yahoo.com)
Date: Tue Jan 15 2008 - 17:14:15 EST


I thought I'd send out a follow-up on my inquiry. It
seems that there aren't enough of these. See the
details below the summary.

1) If your scan reveals /cfide/administrator/index.cfm
as being available look for the availability of
/cfide/componentutils/login.cfm
2) Brute force it using whatever tool you'd like. When
you get guess the correct password the server will
respond with the HTTP status of 302 (content moved).
3) Try guessed password at
/cfide/administrator/index.cfm

That's it.

I found one document that really seemed to help me get
beyond the salting issue. Other comments to me and the
list also helped.

http://www.eusecwest.com/esw06/esw06-davis.pdf

This document lists another ColdFusion page
(/cfide/componentutils/login.cfm). This other page
doesn't have a salting function. Although it
apparently doesn't actually allow for logging into the
admin console it will tell you if you have guessed the
correct password by returning the HTTP status code of
302.

I used WebScarab's fuzzing tool and a regular
expression to attempt to brute force the password.
WebScarab kept stopping for some reason and never even
came close to completing. I also tried Hydra's HTTP
post function with a dictionary file but it returned
some false positives and no successes. In the end I
did not have enough time to guess the admin password.

It looks like this is a pretty serious issue as the
research I did shows that these login attempts are not
logged (without a CF server I can't confirm). The PDF
referenced above shows how you can use the admin
console to execute a slow but accurate port scan of
the host environment plus a lot of other fun stuff.

For some reason Nessus doesn't check for
/cfide/componentutils/login.cfm but does check for
/cfide/administrator/index.cfm. Keep this in mind if
you run across the same situation in any of your
engagements.

Shoot any questions my way if you'd like. And thanks
again for everyone's input.

-Leo
--- Anonymous <anon_email4me@yahoo.com> wrote:

> I would send this from my work account but every
> time
> I respond to a question I get a bunch of spam. So...
> on to the real situation.
>
> A customer's ColdFusion MX7 admin page is reachable
> from the Internet. As part of the external pen test
> I'd like to attempt to brute force this page. It
> would
> seem to be easier than normal because there is only
> a
> password - no username is needed.
>
> However, there is a small problem that I'm not sure
> how to tackle quickly. I don't have much time left.
>
> The form action is this:
>
> <form name="loginform"
> action="/cfide/administrator/enter.cfm"
> method="POST"
> onSubmit="cfadminPassword.value =
> hex_hmac_sha1(salt.value,
> hex_sha1(cfadminPassword.value));" >
>
> There is a hidden field in the form with the salt
> value:
>
> <input name="salt" type="hidden"
> value="1198120613281">
>
> I imagine the salt is predictable but I also imagine
> that it wouldn't help much to predict it. Maybe I'm
> wrong. The page has a meta refresh of 50.
>
> The password field is:
>
> <input name="cfadminPassword" type="Password"
> size="15" maxlength="100" id="admin_login">
>
> Because of the encoding of the entered password with
> the salt it doesn't look like I can use Hydra. Am I
> stuck writing my own script using wget (or
> something)
> and a function to hash the password and salt. If so,
> does anyone know about these functions:
> hex_hmac_sha1
> and hex_sha1?
>
> Hopefully this is the type of thing that will bring
> the old PT List back.... maybe...
>
> Thanks for any input!
>
>
>
>
____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
>

      ____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT