Vulnerabilities > CVE-2013-3349 - Remote Denial of Service vulnerability in Adobe Coldfusion 9.0/9.0.1/9.0.2

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(68929);
  script_version("1.9");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2013-3349");
  script_bugtraq_id(61039);

  script_name(english:"Adobe ColdFusion 9/9.0.1/9.0.2 On JRun DoS (APSB13-19) (credentialed check)");
  script_summary(english:"Checks for hotfix");

  script_set_attribute(attribute:"synopsis", value:
"A web-based application running on the remote Windows host is affected
by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is running a version of ColdFusion that is
affected by an unspecified denial of service vulnerability. A remote
attacker can exploit this without authentication.");
  script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb13-19.html");
  script_set_attribute(attribute:"solution", value:"Apply the relevant hotfix referenced in Adobe advisory APSB13-19.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/07/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:coldfusion");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("coldfusion_win_local_detect.nasl");
  script_require_keys("SMB/coldfusion/instance");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("coldfusion_win.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");
include("byte_func.inc");
include("bsal.inc");
include("zip.inc");

##
# Checks if the JRun hotfix is missing
#
# @anonparam cfroot path to the ColdFusion root directory
# @return plugin output if Nessus believes the hotfix is missing,
#         NULL otherwise
##
function _check_hotfix(type)
{
  local_var cfroot, update_dir, jar_filename, jar_path, share, rc, fh, class_file, report;
  cfroot = _FCT_ANON_ARGS[0];
  report = NULL;

  # add a trailing path if necessary
  if (cfroot[strlen(cfroot) - 1] != "\")
    cfroot += "\";

  if(!isnull(type) && type == "Multiserver")
    update_dir = cfroot + "servers\lib\";
  else update_dir = cfroot + "runtime\servers\lib\";

  jar_filename = "jrun-hotfix-3329722.jar";
  jar_path = update_dir + jar_filename;
  share = hotfix_path2share(path:jar_path);

  rc = NetUseAdd(login:kb_smb_login(), password:kb_smb_password(), domain:kb_smb_domain(), share:share);
  if (rc != 1)
  {
    NetUseDel(close:FALSE);
    return NULL;
  }

  fh = CreateFile(
    file:substr(jar_path, 2),  # strip the drive from the beginning of the path
    desired_access:GENERIC_READ,
    file_attributes:FILE_ATTRIBUTE_NORMAL,
    share_mode:FILE_SHARE_READ,
    create_disposition:OPEN_EXISTING
  );

  # file not found (hotfix missing)
  if (isnull(fh))
  {
    report =
      '\n  Update directory : ' + update_dir +
      '\n  Missing hotfix   : ' + jar_filename + '\n';
  }
  else
  {
    class_file = zip_parse(smb:fh, 'jrun/servlet/JRunResponse.class');
    CloseFile(handle:fh);

    # this method was added to JRunResponse.class in jrun-hotfix-3329722.jar
    if ('writeError' >!< class_file)
    {
      report =
        '\nThe following file was found, but does not appear to contain' +
        '\nthe hotfix provided in Adobe bulletin APSB13-19 :\n\n' +
        jar_path + '\n';
    }
  }

  NetUseDel(close:FALSE);

  return report;
}

versions = make_list('9.0.0', '9.0.1', '9.0.2');
instances = get_coldfusion_instances(versions); # this exits if it fails

# Check the hotfixes and cumulative hotfixes installed for each
# instance of ColdFusion.
info = NULL;

# a connection needs to be made to the system in order to read the hotfix jar file
port = kb_smb_transport();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

report = NULL;

foreach name (keys(instances))
{
  cfroot = get_kb_item('SMB/coldfusion/' + name + '/cfroot');
  if (isnull(cfroot)) continue; # sanity checking (this should never be NULL)
  type = get_kb_item('SMB/coldfusion/' + name + '/type');
  if(isnull(type)) continue;  # should never be NULL

  if(type == "Multiserver")
  {
    jrun_home = get_kb_item('SMB/coldfusion/' + name + '/jrun_home');
    if(isnull(jrun_home)) continue; # should never be NULL
    info = _check_hotfix(jrun_home, type:type);
  }
  else
    info = _check_hotfix(cfroot, type:type);

  if (isnull(info)) continue;  # the hotfix is present

  report += info;
}

NetUseDel();

if (isnull(report))
  exit(0, "No vulnerable instances of Adobe ColdFusion were detected.");

if (report_verbosity > 0)
  security_warning(port:port, extra:report);
else
  security_warning(port);