# Adobe ColdFusion 2025 Lockdown Preconditioned RCE Proof

## Verdict

The original unauthenticated Lockdown-bypass claim is still not proven. Unauthenticated RDS FILEIO
requests against the locked target return:

```text
-100:Unable to authenticate on RDS server using current security information.
```

However, a preconditioned RCE chain is confirmed in Docker:

- Product: Adobe ColdFusion 2025 Update 10.
- Lockdown state: Server Auto-Lockdown effects present in the test container.
- Ingress precondition: direct Tomcat/RDS access on port 8500 is reachable.
- Credential precondition: attacker has a valid RDS password. In the Docker target this is `admin`,
  configured through the image environment.
- Impact: arbitrary CFML write to the ColdFusion webroot followed by command execution as `cfuser`.

This should be represented as a separate, preconditioned impact proof, not as an unauthenticated
Adobe Lockdown bypass.

## Exploit Chain

1. Send unauthenticated FILEIO to direct Tomcat:
   `POST /CFIDE/main/ide.cfm?ACTION=FILEIO`
2. Observe RDS authentication blocks the request with `-100`.
3. Send authenticated FILEIO with final RDS metadata field `;admin`.
4. Read `/etc/passwd` via absolute path with no `..`.
5. Write CFML to `/opt/coldfusion/cfusion/wwwroot/pruva_lockdown_docker_rce.cfm`.
6. Request `/pruva_lockdown_docker_rce.cfm` through Tomcat or Apache.
7. Confirm execution of `/usr/bin/id` as the ColdFusion service user.

## Evidence

The repeatable Docker proof is:

```text
/tmp/cf-lockdown-goal/prove_lockdown_rce.sh
```

The proof log is:

```text
/tmp/cf-lockdown-goal/proof.log
```

Key output:

```text
unauth_tomcat_http=200 unauth_blocked=1
auth_read_tomcat_http=200 auth_read_ok=1
auth_write_tomcat_http=200 auth_write_ok=1
tomcat_shell_http=200 tomcat_rce_ok=1
apache_shell_http=200 apache_rce_ok=1
apache_cfide_http=404 apache_cfide_blocked=1
apache_encoded_cfide_http=404 apache_encoded_cfide_blocked=1
VERDICT=preconditioned_rce
PRECONDITIONS=direct_tomcat_rds_access_and_valid_rds_password
```

RCE marker:

```text
PRUVA_LOCKDOWN_DOCKER_RCE:uid=999(cfuser) gid=999(cfuser) groups=999(cfuser)
```

## Scope Notes

This does not satisfy an unauthenticated reportable-bypass claim by itself because RDS authentication
is enforced. It is still security-relevant because Lockdown did not remove the RDS FILEIO primitive
from direct Tomcat; with valid RDS credentials and direct Tomcat exposure, an attacker can write a
CFML template and reach command execution.

## Recommended Claim Language

Use:

```text
Authenticated RDS FILEIO absolute-path write remains exploitable after Lockdown when direct Tomcat is
reachable, enabling CFML webroot write and command execution as cfuser.
```

Do not use:

```text
Unauthenticated ColdFusion 2025 Server Auto-Lockdown bypass.
```
