Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: brute force ColdFusion MX7 admin page
From: Anonymous <anon_email4me () yahoo com>
Date: Tue, 15 Jan 2008 14:14:15 -0800 (PST)

I thought I'd send out a follow-up on my inquiry. It
seems that there aren't enough of these. See the
details below the summary.

1) If your scan reveals /cfide/administrator/index.cfm
as being available look for the availability of
/cfide/componentutils/login.cfm
2) Brute force it using whatever tool you'd like. When
you get guess the correct password the server will
respond with the HTTP status of 302 (content moved).
3) Try guessed password at
/cfide/administrator/index.cfm

That's it.

I found one document that really seemed to help me get
beyond the salting issue. Other comments to me and the
list also helped.

http://www.eusecwest.com/esw06/esw06-davis.pdf

This document lists another ColdFusion page
(/cfide/componentutils/login.cfm). This other page
doesn't have a salting function. Although it
apparently doesn't actually allow for logging into the
admin console it will tell you if you have guessed the
correct password by returning the HTTP status code of
302.

I used WebScarab's fuzzing tool and a regular
expression to attempt to brute force the password.
WebScarab kept stopping for some reason and never even
came close to completing. I also tried Hydra's HTTP
post function with a dictionary file but it returned
some false positives and no successes. In the end I
did not have enough time to guess the admin password.

It looks like this is a pretty serious issue as the
research I did shows that these login attempts are not
logged (without a CF server I can't confirm). The PDF
referenced above shows how you can use the admin
console to execute a slow but accurate port scan of
the host environment plus a lot of other fun stuff.

For some reason Nessus doesn't check for
/cfide/componentutils/login.cfm but does check for
/cfide/administrator/index.cfm. Keep this in mind if
you run across the same situation in any of your
engagements.

Shoot any questions my way if you'd like. And thanks
again for everyone's input.

-Leo
--- Anonymous <anon_email4me () yahoo com> wrote:

I would send this from my work account but every
time
I respond to a question I get a bunch of spam. So...
on to the real situation.

A customer's ColdFusion MX7 admin page is reachable
from the Internet. As part of the external pen test
I'd like to attempt to brute force this page. It
would
seem to be easier than normal because there is only
a
password - no username is needed.

However, there is a small problem that I'm not sure
how to tackle quickly. I don't have much time left.

The form action is this:

<form name="loginform"
action="/cfide/administrator/enter.cfm"
method="POST"
onSubmit="cfadminPassword.value =
hex_hmac_sha1(salt.value,
hex_sha1(cfadminPassword.value));" >

There is a hidden field in the form with the salt
value:

<input name="salt" type="hidden"
value="1198120613281">

I imagine the salt is predictable but I also imagine
that it wouldn't help much to predict it. Maybe I'm
wrong. The page has a meta refresh of 50.

The password field is:

<input name="cfadminPassword" type="Password"
size="15" maxlength="100" id="admin_login">

Because of the encoding of the entered password with
the salt it doesn't look like I can use Hydra. Am I
stuck writing my own script using wget (or
something)
and a function to hash the password and salt. If so,
does anyone know about these functions:
hex_hmac_sha1
and hex_sha1?

Hopefully this is the type of thing that will bring
the old PT List back.... maybe...

Thanks for any input!


     

____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now. 

http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ






      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]