¡¾Ô­´´Îó²î¡¿Adobe ColdFusion ·´ÐòÁл¯RCEÎó²îÆÊÎö£¨CVE-2019-7091£©

Ðû²¼Ê±¼ä 2019-02-14

Îó²î¸ÅÊö


2019Äê2ÔÂ12ÈÕ£¬£¬£¬£¬£¬£¬£¬Adobe¹Ù·½Ðû²¼ÁËÕë¶ÔAdobe ColdFusionµÄÇå¾²¸üв¹¶¡£¬£¬£¬£¬£¬£¬£¬±àºÅΪAPSB19-10¡£¡£¡£ ¡£¡£¡£²¹¶¡ÖаüÀ¨°ÙÀÖ²©ADLab·¢Ã÷²¢µÚһʱ¼äÌá½»¸ø¹Ù·½µÄCritical£¨Î£¼±£©·´ÐòÁл¯Îó²î£¬£¬£¬£¬£¬£¬£¬Ê¹ÓøÃÎó²î¹¥»÷Õß¿ÉÔ¶³ÌÖ´ÐÐí§Òâ´úÂë¡£¡£¡£ ¡£¡£¡£Îó²î±àºÅΪCVE-2019-7091£¬£¬£¬£¬£¬£¬£¬ÈçÏÂͼËùʾ£º


welcome-°ÙÀÖ²©


±¾´ÎÎó²îΪAdobe ColdFusionÖÐFlashGatewayЧÀÍÖеÄÎó²î¡£¡£¡£ ¡£¡£¡£Adobe ColdFusionµÄFlashGatewayЧÀͱ£´æ·´ÐòÁл¯Îó²î£¬£¬£¬£¬£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄ¹¥»÷ÕßÏòÄ¿µÄAdobe ColdFusionµÄFlashGatewayЧÀÍ·¢ËÍÈ«ÐĽṹµÄ¶ñÒâÊý¾Ý£¬£¬£¬£¬£¬£¬£¬¾­·´ÐòÁл¯ºó¿ÉÔ¶³ÌÖ´ÐÐí§Òâ´úÂë¡£¡£¡£ ¡£¡£¡£

Îó²îʱ¼äÖá


2018Äê9ÔÂ21ÈÕ£º½«Îó²îÏêÇéÌá½»¸ø¹Ù·½£»£»£»£»£»
2018Äê12ÔÂ5ÈÕ£ºÈ·ÈÏÎó²î±£´æ²¢×îÏÈÐÞ¸´£»£»£»£»£»
2019Äê2ÔÂ12ÈÕ£º¹Ù·½Ðû²¼Õýʽ²¹¶¡¡£¡£¡£ ¡£¡£¡£

Îó²îÆÊÎö


Adobe ColdFusionµÄFlashGatewayЧÀÍÔÊÐíflashÅþÁ¬µ½CFMLºÍCFCÄ£°å¡£¡£¡£ ¡£¡£¡£µ±¹¥»÷Õßͨ¹ýHTTPЭÒéÏòFlashGatewayЧÀÍPOSTÈ«ÐĽṹµÄActionMessageÐÅÏ¢ºó£¬£¬£¬£¬£¬£¬£¬FlashGatewayЧÀÍÒÀ´Îͨ¹ýÖÖÖÖÀàÐ͵Äfilter¾ÙÐÐinvoke()²Ù×÷¡£¡£¡£ ¡£¡£¡£ÔÚflashgateway.filter.SerializationFilterµÄinvokeÒªÁìÖУ¬£¬£¬£¬£¬£¬£¬ÊµÀý»¯MessageDeserializerÀàÐ͵ķ´ÐòÁй¤¾ßdeserializer²¢Í¨¹ýdeserializer.readMessage(m)ÒªÁì¶ÔÈ«ÐĽṹµÄActionMessageÐÂΞÙÐз´ÐòÁл¯£¬£¬£¬£¬£¬£¬£¬Í¬Ê±½«ActionMessageÖеÄtargetURI¡¢dataµÈÖµ¸³Öµ¸øMessageBody¡£¡£¡£ ¡£¡£¡£


Íê³ÉÐòÁл¯Àú³Ìºó£¬£¬£¬£¬£¬£¬£¬´ËʱActionContext contextÖеÄÄÚÈݼ´ÎªÊäÈëÁ÷ÖÐÈ«ÐĽṹµÄActionMessageÐÅÏ¢¡£¡£¡£ ¡£¡£¡£ÔÚflashgateway.filter.AdapterFilterµÄinvokeÒªÁìÖУ¬£¬£¬£¬£¬£¬£¬¶ÁÈ¡ActionContextÖеÄMessageBodyÐÅÏ¢¸³Öµ¸øserviceName¡¢functionName¡¢parametersµÈ£¬£¬£¬£¬£¬£¬£¬Í¨¹ýadapter=locateAdapter(context, serviceName, functionName, parameters, serviceType)ÒªÁì»ñµÃflashgateway.adapter.java.JavaBeanAdapterÀàÐ͵Äadapter£¬£¬£¬£¬£¬£¬£¬È»ºóÖ´ÐÐJavaBeanAdapterµÄinvokeFunctionÒªÁì¡£¡£¡£ ¡£¡£¡£Òªº¦´úÂëÈçÏ£º


public ActionContext invoke(ActionContext context) throws  Throwable {
        ...
      //¶ÁÈ¡MessageBodyÐÅÏ¢
      MessageBody  requestMessageBody = context.getRequestMessageBody();
      String serviceName  = requestMessageBody.serviceName;
      String  functionName = requestMessageBody.functionName;
      List parameters = requestMessageBody.parameters;
        ...
     if  (context.isDescribeRequest()) {
      result = adapter.describeService(context,  serviceName);
     } else {
  //adapterΪJavaBeanAdapter£¬£¬£¬£¬£¬£¬£¬Ö´ÐÐflashgateway.adapter.java.JavaBeanAdapterµÄinvokeFunctionÒªÁì

    result =  adapter.invokeFunction(context, serviceName, functionName, parameters); }


ÔÚJavaBeanAdapterµÄinvokeFunctionÒªÁìÖУ¬£¬£¬£¬£¬£¬£¬¿´µ½Òªº¦´úÂ룺method.invoke(service, parameters.toArray())¡£¡£¡£ ¡£¡£¡£


welcome-°ÙÀÖ²©


ÆäÖУ¬£¬£¬£¬£¬£¬£¬Ä¿µÄÖ´ÐÐÒªÁìmethodͨ¹ýMethod method = this.getMethod(parameters, serviceName, functionName, aClass)»ñµÃ£»£»£»£»£»ÒªÁìÖ´Ðй¤¾ßservice ͨ¹ýservice = aClass.newInstance()»ñµÃ£»£»£»£»£»ÒªÁìÖ´ÐвÎÊýparameters.toArray()ͨ¹ýMessageBody»ñµÃ¡£¡£¡£ ¡£¡£¡£


Óɴ˿ɼû£¬£¬£¬£¬£¬£¬£¬method.invoke(service, parameters.toArray())µÄËùÓòÎÊý¶¼¿É¿Ø£¬£¬£¬£¬£¬£¬£¬Òâζ×Å¿ÉÖ´ÐÐí§ÒâÒªÁì¡£¡£¡£ ¡£¡£¡£


Õû¸öÁ÷³ÌÈçÏÂͼËùʾ£º


welcome-°ÙÀÖ²©

Îó²îʹÓÃЧ¹û

welcome-°ÙÀÖ²©

Ó°Ïì°æ±¾


ColdFusion 11 Update 15¼°Ö®Ç°°æ±¾
ColdFusion 2016 Update 7¼°Ö®Ç°°æ±¾
ColdFusion 2018 Update 1¼°Ö®Ç°°æ±¾

¹æ±Ü¼Æ»®


ÐÞ¸Ägateway-config.xmlÎļþµÄÉèÖ㬣¬£¬£¬£¬£¬£¬Õ¥È¡JavaBeanAdapterµÄʹÓᣡ£¡£ ¡£¡£¡£

Éý¼¶×îв¹¶¡APSB19-10£ºhttps://helpx.adobe.com/security/products/coldfusion/apsb19-10.html¡£¡£¡£ ¡£¡£¡£


welcome-°ÙÀÖ²©