Solved

Security breech Cold fusion 8 IIS server, vulnerability

Posted on 2011-09-14
9
763 Views
Last Modified: 2012-05-12
Some malicious CF shells were found that on the CF8 server.
These scripts appear to have been used to route mail through coldfusion as well, which would explain the repeated errors being received from smartermail (show in cf mail.log):

Our host engineers have suggested
<cffile action="upload"> script that would allow the attacker to get a template onto the system, then use tags such as <cfexecute> to further open the system up.

Here is our typical cffile code. We only allow certain file types ie  doc jpg pdf etc

Do you kow of this vulnerability with cffile ?  What can be done to tighten it up?



For picture uploads

<cflock 
timeout="30"
type="exclusive">
<cfset DestinationDirectory = "C:\Websites\BlaBlaBla\pics">

<cffile action = "Upload"
DESTINATION = "#DestinationDirectory#\#NewFile#"
FILEFIELD="UploadFile"
nameconflict="Overwrite"
ACCEPT="image/jpeg,image/jpg,image/pjpeg">

</cflock>

For documents and scans

<cffile action = "Upload"
DESTINATION = "#DestinationDirectory#\#form.MemberSlideName#.tmp"
FILEFIELD="UploadFile"
nameconflict="Overwrite"
ACCEPT="image/tiff,image/gif,image/pjpeg,image/jpg,image/jpeg,image/png,image/bmp,application/msword,application/pdf,text/plain,text/html">
</cflock>

Open in new window

0
Comment
Question by:Ian White
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 39

Expert Comment

by:gdemaria
ID: 36540521
If you upload the file to a destination within the webroot, the file could be executed using a browser if they know the path to the file.   Often files are kept outside the webroot so this cannot happen.

It's interesting that you change the extension of the file when uploading, I would think that would help.  I do just the opposite.  I change the file name (because the user's file name often can contain illegal characters) and keep the extension.  So, I rename it to 1234.jpg  or 98437.doc.  

Use cfdocument to pull the file from outside the webroot and deliver it under the correct name.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 36540687
>> Do you kow of this vulnerability with cffile ?  What can be done to tighten it up?
>> ACCEPT="image/jpeg,image/jpg,image/pjpeg"

It's probably a mime type exploit. Mime types are easy to fake. A more robust test is to verify the file really contains an image with theIsImage function, along with checking the file extension.


>> Often files are kept outside the webroot so this cannot happen
>> Use cfcontent to pull the file from outside the webroot and deliver it under the correct name.

That's the best security measure you can take.  Just make sure the directory does not allow execution.  The malicious code can't run if the file cannot be executed.  

This thread has some very good tips on securing file uploads
http://www.petefreitag.com/item/701.cfm


0
 

Author Comment

by:Ian White
ID: 36542087
Does the hacker havewebroot  path of the uploaded file ?  It goes to subdirectory /pics but if this
was something obscure like /dsaf97fds  would that not achieve the same thing?  Also if exceutions are not allowed from this directory would that not stop that?
0
Stressed Out?

Watch some penguins on the livecam!

 
LVL 52

Expert Comment

by:_agx_
ID: 36542647
>> Does the hacker havewebroot  path of the uploaded file ?  
>> would that not achieve the same thing?

No you can't rely on security by obscurity.  If the app provides a direct link to files, they could be executed just by a user clicking on a link, etc..

>> Also if exceutions are not allowed from this directory would that not stop that?

Probably... but the exact settings vary by web server and o/s. With rules and inheritance it's easy to overlook something. I'd run it past your network admin.  

But storing them outside the web root is simplest.  The files can't be accessed at all via the web. Using <cfcontent> to return them to the user ensures they're never executed.
0
 
LVL 1

Expert Comment

by:hyperfuse
ID: 36542673
at: AveAGo:
Even if execution is not allowed, it would be still possible to execute cold fusion scripts (*.cfm) files via cfexecute, because otherwise it would not be possible to process any coldfusion pages in this directory.

To increase the level of security you could disable the cfexecute tag within coldfusion administrator:
in CF8: Security Menu - Sandbox Security: Activate Sandbox Security and Restart ColdFusion. Add the appropriate directories with "Add Security Sandbox". Select each directory from the list at "Defined Directory Permissions". After selecting a directory, a new tabbed menu is displayed for this directory. Choose "CF Tags" and "CF Functions" to disable certain tags and functions at your needs.

And you could disable execution of javascript that is transmitted to the cf server via form fields, e.g. if the users can edit page content or forum threads. Just use "Server Settings / Settings" and activate "Enable Global Script Protection". This will automatically strip all scripting expressions from form and url data and cooikies. But: Users that are using a content management system and intentionally want to edit html directly are then not able any more to edit java script, because their scripting texts are stripped, either.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 36543082
>> execute cold fusion scripts (*.cfm) files via cfexecute

You can't run a cfm script via cfexecute.  But hackers wouldn't need to. All it takes to execute a .cfm script is to open the url in a browser and any malicious code inside it runs.  

>> you could disable the cfexecute tag

Truthfully a hacker doesn't need cfexecute to do lots of damage.  Once they manage to upload a cfm script to a web accessible location that allows execution, you've got much bigger problems.  Anything you can do in code - they can do too. Read/modify the file system, databases, etc...

>> it would not be possible to process any coldfusion pages in this directory

Yeah, but normally you don't want store .cfm scripts and uploaded files all jumbled together in the same directory anyway.
0
 
LVL 1

Accepted Solution

by:
hyperfuse earned 250 total points
ID: 36543597
at agx: okay, i now have got that with "cfexecute". I did not know that cfexecute cannot excecute cfm files (we never tried it and have disabled cfexecute on all systems) So thanks for that bit ;-)

II completely agree that the solution to store the files outside the web space and deliver them via cfcontent is the most secure way to do this.

Another idea as a temporaily work around: As far as I know, the web server decides by file extension, which files have to be passed to ColdFusion, e.g. cfm, cfc, etc. So it would be a good idea to avoid uploading files with those extensions. So files could be uploaded then to a directory outside the web space, extension could be checked, and all cfm etc. files will be deleted automatically after the upload. Other files could be copied to their designated destination. Proceeding that way would not cause any changes in document retrieval, so those programs do not need to be changed.
This will give AveAGo some more time to upgrade the programs and to implement the solution with cfcontent.
0
 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 250 total points
ID: 36543943
  >> I did not know that cfexecute cannot excecute cfm files

To clarify the reason is .cfm files aren't independent like executables.  They need a bunch of other stuff to execute them ie a cf server, web context, etc.. Might be technically possible to do it, but it's hardly worth the effort when other exploits are so simpler.

    >> So it would be a good idea to avoid uploading files with those extensions.
Remember it's not just .cfm files that are risky.  There's .exe's and other file types too. Basically any language running on the server, asp, php, etc..  

But like I mentioned, it's too easy to miss things with that approach.  The more bullet proof solution is storing the files where they can't be executed and ONLY serving them up with <cfcontent>.
0
 

Author Closing Comment

by:Ian White
ID: 36558275
thanks for contributions
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question