Introduction:
CVE-2017-3066 is a critical vulnerability reported in Adobe ColdFusion AMF which allows remote code execution due to improper validation of serialized objects. Adobe ColdFusion allows a developer to build websites, SOAP and REST web services and interact with Adobe Flash using the Action Message Format (AMF).
The vulnerability is rated a critical CVSS v3 score of 9.8 due to its severe impact and exploitation potential. The severity of this vulnerability is heightened by the fact that it can be exploited by remote unauthenticated attackers, increasing the attack surface. It is added to the CISA Known Exploited Vulnerabilities (KEV) list as it has been actively exploited in the wild. In this article, we will delve into the technical details of this vulnerability and demonstrate how it can be exploited.
A brief on AMF:
The AMF (Action Message Format) protocol is a custom binary serialization protocol, which has two formats AMF0 and AMF3. It consists of headers and bodies and several data types are supported in AMF0 and AMF3. There are several implementations for AMF in different languages. For Java we have Adobe BlazeDS (now Apache BlazeDS), which is being used in Adobe ColdFusion.
Understanding the Vulnerability:
The root cause of this vulnerability lies in the BlazeDS which supports externalizable objects which allows full control over deserialization. Adobe ColdFusion processes AMF requests using BlazeDS, which doesn’t go through any input validation and blindly deserializes objects received from users. By crafting a malicious AMF payload, attackers can exploit this flaw and achieve remote code execution on the ColdFusion servers.
Attack Flow:
Setting Up the Vulnerable Environment :
To exploit the vulnerability, we can set up the Adobe ColdFusion instance using Docker with the following command:
Exploiting the Vulnerability:
Now, we need to craft a malicious serialized payload and send it to the vulnerable ColdFusion server. We can achieve this using ysoserial and ColdFusionPwn.
ysoserial:
It is a tool used to generate malicious serialized Java objects to exploit deserialization vulnerabilities.It creates a payload containing a gadget chain (e.g., CommonsBeanutils1), which are pre-existing Java class sequences that can be used to execute arbitrary code upon deserialization. You can download it from here .
ColdFusionPwn:
It is a specialized exploit tool for ColdFusion deserialization vulnerabilities. It helps attackers generate AMF-based serialized payloads that ColdFusion will process and it encodes the ysoserial payload into an AMF (Action Message Format) request. You can download it from here .
To generate the malicious serialised payload we can run the following command
Note: “touch /tmp/success” is the command we want to execute on the server.
The following python script is used to deliver the payload to Coldfusion’s flex2gateway/amf endpoint
Once the ColdFusion server deserializes the payload (as shown in the attack flow) , it executes the command “touch /tmp/success” which creates a file named success in /tmp directory , hence achieving remote code execution.
Conclusion:
To protect against these vulnerabilities, it is crucial to update to the latest ColdFusion releases. Leveraging threat detection solutions can further strengthen your defenses against emerging threats and ensure the continued integrity of your systems. You can also use the Keysight test platforms with ATI subscription to safeguard your network against such attacks.
Leverage Subscription Service To Stay Ahead Of Attacks:
Keysight’s Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Center continuously monitors threats as they appear in the wild and has just released a strike for this CVE as part of BreakingPoint System’s recent update 2025-04 help keep your network secure. More information is present here.
The following images show the screenshots of the CVEs as a strike in BreakingPoint System:
References:
https://nvd.nist.gov/vuln/detail/cve-2017-3066
https://github.com/vulhub/vulhub/tree/master/coldfusion/CVE-2017-3066
https://codewhitesec.blogspot.com/2018/03/exploiting-adobe-coldfusion.html