Solved

Security breech Cold fusion 8 IIS server, vulnerability

Posted on 2011-09-14
9
753 Views
Last Modified: 2012-05-12
Some malicious CF shells were found that on the CF8 server.
These scripts appear to have been used to route mail through coldfusion as well, which would explain the repeated errors being received from smartermail (show in cf mail.log):

Our host engineers have suggested
<cffile action="upload"> script that would allow the attacker to get a template onto the system, then use tags such as <cfexecute> to further open the system up.

Here is our typical cffile code. We only allow certain file types ie  doc jpg pdf etc

Do you kow of this vulnerability with cffile ?  What can be done to tighten it up?



For picture uploads

<cflock 
timeout="30"
type="exclusive">
<cfset DestinationDirectory = "C:\Websites\BlaBlaBla\pics">

<cffile action = "Upload"
DESTINATION = "#DestinationDirectory#\#NewFile#"
FILEFIELD="UploadFile"
nameconflict="Overwrite"
ACCEPT="image/jpeg,image/jpg,image/pjpeg">

</cflock>

For documents and scans

<cffile action = "Upload"
DESTINATION = "#DestinationDirectory#\#form.MemberSlideName#.tmp"
FILEFIELD="UploadFile"
nameconflict="Overwrite"
ACCEPT="image/tiff,image/gif,image/pjpeg,image/jpg,image/jpeg,image/png,image/bmp,application/msword,application/pdf,text/plain,text/html">
</cflock>

Open in new window

0
Comment
Question by:Ian White
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 39

Expert Comment

by:gdemaria
Comment Utility
If you upload the file to a destination within the webroot, the file could be executed using a browser if they know the path to the file.   Often files are kept outside the webroot so this cannot happen.

It's interesting that you change the extension of the file when uploading, I would think that would help.  I do just the opposite.  I change the file name (because the user's file name often can contain illegal characters) and keep the extension.  So, I rename it to 1234.jpg  or 98437.doc.  

Use cfdocument to pull the file from outside the webroot and deliver it under the correct name.
0
 
LVL 52

Expert Comment

by:_agx_
Comment Utility
>> Do you kow of this vulnerability with cffile ?  What can be done to tighten it up?
>> ACCEPT="image/jpeg,image/jpg,image/pjpeg"

It's probably a mime type exploit. Mime types are easy to fake. A more robust test is to verify the file really contains an image with theIsImage function, along with checking the file extension.


>> Often files are kept outside the webroot so this cannot happen
>> Use cfcontent to pull the file from outside the webroot and deliver it under the correct name.

That's the best security measure you can take.  Just make sure the directory does not allow execution.  The malicious code can't run if the file cannot be executed.  

This thread has some very good tips on securing file uploads
http://www.petefreitag.com/item/701.cfm


0
 

Author Comment

by:Ian White
Comment Utility
Does the hacker havewebroot  path of the uploaded file ?  It goes to subdirectory /pics but if this
was something obscure like /dsaf97fds  would that not achieve the same thing?  Also if exceutions are not allowed from this directory would that not stop that?
0
 
LVL 52

Expert Comment

by:_agx_
Comment Utility
>> Does the hacker havewebroot  path of the uploaded file ?  
>> would that not achieve the same thing?

No you can't rely on security by obscurity.  If the app provides a direct link to files, they could be executed just by a user clicking on a link, etc..

>> Also if exceutions are not allowed from this directory would that not stop that?

Probably... but the exact settings vary by web server and o/s. With rules and inheritance it's easy to overlook something. I'd run it past your network admin.  

But storing them outside the web root is simplest.  The files can't be accessed at all via the web. Using <cfcontent> to return them to the user ensures they're never executed.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Expert Comment

by:hyperfuse
Comment Utility
at: AveAGo:
Even if execution is not allowed, it would be still possible to execute cold fusion scripts (*.cfm) files via cfexecute, because otherwise it would not be possible to process any coldfusion pages in this directory.

To increase the level of security you could disable the cfexecute tag within coldfusion administrator:
in CF8: Security Menu - Sandbox Security: Activate Sandbox Security and Restart ColdFusion. Add the appropriate directories with "Add Security Sandbox". Select each directory from the list at "Defined Directory Permissions". After selecting a directory, a new tabbed menu is displayed for this directory. Choose "CF Tags" and "CF Functions" to disable certain tags and functions at your needs.

And you could disable execution of javascript that is transmitted to the cf server via form fields, e.g. if the users can edit page content or forum threads. Just use "Server Settings / Settings" and activate "Enable Global Script Protection". This will automatically strip all scripting expressions from form and url data and cooikies. But: Users that are using a content management system and intentionally want to edit html directly are then not able any more to edit java script, because their scripting texts are stripped, either.
0
 
LVL 52

Expert Comment

by:_agx_
Comment Utility
>> execute cold fusion scripts (*.cfm) files via cfexecute

You can't run a cfm script via cfexecute.  But hackers wouldn't need to. All it takes to execute a .cfm script is to open the url in a browser and any malicious code inside it runs.  

>> you could disable the cfexecute tag

Truthfully a hacker doesn't need cfexecute to do lots of damage.  Once they manage to upload a cfm script to a web accessible location that allows execution, you've got much bigger problems.  Anything you can do in code - they can do too. Read/modify the file system, databases, etc...

>> it would not be possible to process any coldfusion pages in this directory

Yeah, but normally you don't want store .cfm scripts and uploaded files all jumbled together in the same directory anyway.
0
 
LVL 1

Accepted Solution

by:
hyperfuse earned 250 total points
Comment Utility
at agx: okay, i now have got that with "cfexecute". I did not know that cfexecute cannot excecute cfm files (we never tried it and have disabled cfexecute on all systems) So thanks for that bit ;-)

II completely agree that the solution to store the files outside the web space and deliver them via cfcontent is the most secure way to do this.

Another idea as a temporaily work around: As far as I know, the web server decides by file extension, which files have to be passed to ColdFusion, e.g. cfm, cfc, etc. So it would be a good idea to avoid uploading files with those extensions. So files could be uploaded then to a directory outside the web space, extension could be checked, and all cfm etc. files will be deleted automatically after the upload. Other files could be copied to their designated destination. Proceeding that way would not cause any changes in document retrieval, so those programs do not need to be changed.
This will give AveAGo some more time to upgrade the programs and to implement the solution with cfcontent.
0
 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 250 total points
Comment Utility
  >> I did not know that cfexecute cannot excecute cfm files

To clarify the reason is .cfm files aren't independent like executables.  They need a bunch of other stuff to execute them ie a cf server, web context, etc.. Might be technically possible to do it, but it's hardly worth the effort when other exploits are so simpler.

    >> So it would be a good idea to avoid uploading files with those extensions.
Remember it's not just .cfm files that are risky.  There's .exe's and other file types too. Basically any language running on the server, asp, php, etc..  

But like I mentioned, it's too easy to miss things with that approach.  The more bullet proof solution is storing the files where they can't be executed and ONLY serving them up with <cfcontent>.
0
 

Author Closing Comment

by:Ian White
Comment Utility
thanks for contributions
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now