¡¾Ô´´Îó²î¡¿Adobe ColdFusion ·´ÐòÁл¯RCEÎó²îÆÊÎö£¨CVE-2019-7091£©
Ðû²¼Ê±¼ä 2019-02-14Îó²î¸ÅÊö
±¾´ÎÎó²îΪAdobe ColdFusionÖÐFlashGatewayЧÀÍÖеÄÎó²î¡£¡£Adobe ColdFusionµÄFlashGatewayЧÀͱ£´æ·´ÐòÁл¯Îó²î£¬£¬£¬£¬£¬£¬Î´¾Éí·ÝÑéÖ¤µÄ¹¥»÷ÕßÏòÄ¿µÄAdobe ColdFusionµÄFlashGatewayЧÀÍ·¢ËÍÈ«ÐĽṹµÄ¶ñÒâÊý¾Ý£¬£¬£¬£¬£¬£¬¾·´ÐòÁл¯ºó¿ÉÔ¶³ÌÖ´ÐÐí§Òâ´úÂë¡£¡£
Îó²îʱ¼äÖá
2018Äê12ÔÂ5ÈÕ£ºÈ·ÈÏÎó²î±£´æ²¢×îÏÈÐÞ¸´£»£»£»
2019Äê2ÔÂ12ÈÕ£º¹Ù·½Ðû²¼Õýʽ²¹¶¡¡£¡£
Îó²îÆÊÎö
Adobe ColdFusionµÄFlashGatewayЧÀÍÔÊÐíflashÅþÁ¬µ½CFMLºÍCFCÄ£°å¡£¡£µ±¹¥»÷Õßͨ¹ýHTTPÐÒéÏòFlashGatewayЧÀÍPOSTÈ«ÐĽṹµÄActionMessageÐÅÏ¢ºó£¬£¬£¬£¬£¬£¬FlashGatewayЧÀÍÒÀ´Îͨ¹ýÖÖÖÖÀàÐ͵Äfilter¾ÙÐÐinvoke()²Ù×÷¡£¡£ÔÚflashgateway.filter.SerializationFilterµÄinvokeÒªÁìÖУ¬£¬£¬£¬£¬£¬ÊµÀý»¯MessageDeserializerÀàÐ͵ķ´ÐòÁй¤¾ßdeserializer²¢Í¨¹ýdeserializer.readMessage(m)ÒªÁì¶ÔÈ«ÐĽṹµÄActionMessageÐÂΞÙÐз´ÐòÁл¯£¬£¬£¬£¬£¬£¬Í¬Ê±½«ActionMessageÖеÄtargetURI¡¢dataµÈÖµ¸³Öµ¸øMessageBody¡£¡£
Íê³ÉÐòÁл¯Àú³Ìºó£¬£¬£¬£¬£¬£¬´ËʱActionContext contextÖеÄÄÚÈݼ´ÎªÊäÈëÁ÷ÖÐÈ«ÐĽṹµÄActionMessageÐÅÏ¢¡£¡£ÔÚflashgateway.filter.AdapterFilterµÄinvokeÒªÁìÖУ¬£¬£¬£¬£¬£¬¶ÁÈ¡ActionContextÖеÄMessageBodyÐÅÏ¢¸³Öµ¸øserviceName¡¢functionName¡¢parametersµÈ£¬£¬£¬£¬£¬£¬Í¨¹ýadapter=locateAdapter(context, serviceName, functionName, parameters, serviceType)ÒªÁì»ñµÃflashgateway.adapter.java.JavaBeanAdapterÀàÐ͵Äadapter£¬£¬£¬£¬£¬£¬È»ºóÖ´ÐÐJavaBeanAdapterµÄinvokeFunctionÒªÁì¡£¡£Òªº¦´úÂëÈçÏ£º
...
//¶ÁÈ¡MessageBodyÐÅÏ¢
MessageBody requestMessageBody = context.getRequestMessageBody();
String serviceName = requestMessageBody.serviceName;
String functionName = requestMessageBody.functionName;
List parameters = requestMessageBody.parameters;
...
if (context.isDescribeRequest()) {
result = adapter.describeService(context, serviceName);
} else {
//adapterΪJavaBeanAdapter£¬£¬£¬£¬£¬£¬Ö´ÐÐflashgateway.adapter.java.JavaBeanAdapterµÄinvokeFunctionÒªÁì
result = adapter.invokeFunction(context, serviceName, functionName, parameters); }
ÆäÖУ¬£¬£¬£¬£¬£¬Ä¿µÄÖ´ÐÐÒªÁìmethodͨ¹ýMethod method = this.getMethod(parameters, serviceName, functionName, aClass)»ñµÃ£»£»£»ÒªÁìÖ´Ðй¤¾ßservice ͨ¹ýservice = aClass.newInstance()»ñµÃ£»£»£»ÒªÁìÖ´ÐвÎÊýparameters.toArray()ͨ¹ýMessageBody»ñµÃ¡£¡£
Óɴ˿ɼû£¬£¬£¬£¬£¬£¬method.invoke(service, parameters.toArray())µÄËùÓòÎÊý¶¼¿É¿Ø£¬£¬£¬£¬£¬£¬Òâζ×Å¿ÉÖ´ÐÐí§ÒâÒªÁì¡£¡£
Õû¸öÁ÷³ÌÈçÏÂͼËùʾ£º

Îó²îʹÓÃЧ¹û

Ó°Ïì°æ±¾
ColdFusion 2016 Update 7¼°Ö®Ç°°æ±¾
ColdFusion 2018 Update 1¼°Ö®Ç°°æ±¾
¹æ±Ü¼Æ»®
Éý¼¶×îв¹¶¡APSB19-10£ºhttps://helpx.adobe.com/security/products/coldfusion/apsb19-10.html¡£¡£