Leveraging Adobe LiveCycle
Adobe LiveCycle is an enterprise document and form platform that is being widely adopted by businesses and government agencies who are looking to centralize processes and document management capabilities. As with many web-based applications that connect to back-end systems, this provides additional attack surface that may be leveraged to gain a foothold into the target network. For defenders, this means ensuring LiveCycle administrators are exercising good security practices across the LiveCycle surface, which can be quite large as you’ll see in this post. LiveCycle works across many platforms as seen here and installations may vary. In this post, I’ll point out the areas of LiveCycle ES4 that may provide fruitful attack vectors to leverage on your next engagement.
LiveCycle has several access portals setup during the default installation that may provide access with default credentials. My experience has shown that Administrators have a tendency to change the main “adminui portal” password and overlook changing the OSGI administrative console password. Adobe was even kind enough to leave the OSGI console out of the “Next Steps” to perform after installation!
“OSGI provides developers with a way to create applications at a modular level, allowing the development and management of individual components that work together to form that larger puzzle as an adaptive and dynamic system.” — Source http://www.icidigital.com/osgi-with-cq5/
This console provides a very useful scripting console which we can leverage to further attack the system and possibly gain a system shell. Let’s run through an example of this attack path.
OSGI Attack Path:
The OSGI login uses Basic Authentication and can be typically accessed at “http[s]://[hostname]:[port]/lc/system/console”. The default credentials for this portal are admin:admin.
Next, select “Script Console” under the main menu tab as shown.
Now we are prompted with the scripting console where depending on the target setup, we can run various scripting languages.
Now, we use this script found at http://groovy.codehaus.org
def command = “””executable arg1 arg2 arg3"””
def proc = command.execute()
proc.waitFor()println “return code: ${ proc.exitValue()}”
println “stderr: ${proc.err.text}”
println “stdout: ${proc.in.text}”
For example, we’ll call a simple directory command. Make sure you correctly escape as shown in the example and provide an absolute path for a Windows target. Linux targets will not require absolute paths.
In Linux you’ll most likely be an un-privileged user and need to escalate privileges. In Windows, we’re lucky enough that Adobe LiveCycle requires that the Administrator disable UAC during install and as you see next, should be running as system.
For this example, I decide to utilize PowerSploit to inject a reverse payload. Don’t forget to escape any additional quotes!
I had trouble with WP posting this as a code block so it’s an image.
Workspace Attack Path:
On a recent engagement I found the client had a custom application built that was accessible via the workspace path. Using the default credentials of atanaka:password, I was able to access the application that was obviously still being built. The application utilized the MYSQL database and was vulnerable to SQL Injection. It may be worth enumerating any custom-built LiveCycle applications that you run across. The default credentials I used are listed below from the sample setup utility.
Default URLS and Logins
To access the Correspondence Management Solution, you can access the solution template by using the following URL and login information:
URL from another computer: http://[host name]:8080/lc/cm/
URL from another computer if SSL was enabled: https://[host name]:8443/lc/cm/
Default user name: administrator
Default password: password
To access Administration Console, use the following URL and login information:
URL from another computer: http://[host name]:8080/adminui
URL from another computer if SSL was enabled: https://[host name]:8443/adminui
Default user name: administrator
Default password: password
To access the CRX Package Manager, use the following URL and login information:
URL from another computer: http://[host name]:8080/lc/crx/packmgr/index.jsp
URL from another computer if SSL was enabled: https://[host name]:8443/lc/crx/packmgr/index.jsp
Default user name: administrator
Default password: password
To access Mobile Forms Installation Verification Sample (IVS) application, use the following information:
URL from another computer: http://[host name]:8080/mobileformsivs
URL from another computer if SSL was enabled: https://[host name]:8443/mobileformsivs
If you have installed and deployed Reader Extensions, access the web application as follows:
URL from another computer: http://[host name]:8080/ReaderExtensions
URL from another computer if SSL was enabled: https://[host name]:8443/ReaderExtensions
Default user name: administrator
Default password: password
If you have installed and deployed Process Management, access the Workspace web application as follows:
Flex Workspace:
URL from another computer: http://[host name]:8080/workspace
URL from another computer if SSL was enabled:https://[host name]:8443/workspace
HTML Workspace:
URL from this computer: http://localhost:8080/lc/content/ws
URL from another computer: http://[host name]:8080/lc/content/ws
URL from another computer if SSL was enabled:https://[host name]:8443/lc/content/ws
Default user name: administrator
Default password: password
Additional default credentials that may be installed. These credentials are available if the administrator utilized the Adobe Sample Setup Utility.
User Name
Password
Email
Role
atanakapasswordatanaka@sampleorganization.comLiveCycle Application Administrator
LiveCycle Workspace User
LiveCycle Contentspace Administrator
LiveCycle Contentspace Userjjacobspasswordjjacobs@sampleorganization.comLiveCycle Workspace User
LiveCycle Contentspace Usersrosepasswordsrose@sampleorganization.comLiveCycle Workspace User
LiveCycle Contentspace Userkbowmanpasswordkbowman@sampleorganization.comLiveCycle Workspace User
LiveCycle Contentspace User
