Recent Posts

Jul 1 2009

CFWebstore File Upload Vulnerability

There has been a recent outbreak of attacks on servers running the ColdFusion shopping cart CFWebstore, that is allowing the attackers to upload a ColdFusion variant of the C99 shell script.  This is giving them full access to your server and it will get compromised if they get that file up there.

Here's what they do:

 

  1. Using the /customtags/uploadfile.cfm page, they are spoofing the MIME type to upload index.cfm and image.cfm to /images/accounts directory - these are their web shells (think of them like control panels).
  2. After having these web shells uploaded, things can go one of several ways:
    1. If you have cfexecute/cfregistry disabled, they will likely just inject JavaScript into every site on your server
    2. If you have cfexecute/cfregistry enabled, they will likely attack you with wminotify, this allows them to log and send back home all passwords used to log into the server for remote administration.  At this point, you should probably plan to build a new server because this level of compromise is pretty deep and you likely won't clean it all up.
    3. If you had cfexecute/cfregistry disabled and Sandbox security on each site, then only the CFWebstore site that was attacked will be injected with JavaScript.
So, you've been attacked, cleaned things up/rebuilt a server or two, what now?  According to the folks at CFWebstore, you need to modify the application.cfm file for your store with this code from their blog. EDIT: More detailed information from CFWebstore.  Use the link, not posting it incase something is changed in it.  Also, I would suggest upgrading to the newest version as fast as possible for your budget and resources, since version 6, according to CFWebstore, certain upload files in the customtags directory are no longer used and are removed from the code base.

Additional details about the attack:
  • The shell contains many references to seraph, this is likely his/their blog in China
  • It looks like one of seraph's buddies, chanm is actually doing the attack as I've seen Windows users created with the name of chanm$.
  • More info about wminotify.dll from Symantec
  • Read through the comments on Ray Camden's post about this issue which includes many details from various people's experience with this attack
  • The attacker is sometimes uploading a JSP file to get around the security layer in ColdFusion, which allows complete bypass of any Sandboxes you already had setup
While this is a specific attack on one application, the lessons learned can be applied to any web application:
  • DO NOT blindly trust the MIME types that are sent by a browser, these are easily spoofed.
  • DO upload outside you web root initially
  • DO additional checks on uploaded files before pushing them live (file extensions should match, use functions like isImageFile() and isPDFFile() in ColdFusion, etc.)
  • DO protect uploads with some sort of login (assuming your business rules preclude the public uploading content to your site)
  • DO disable JSP handling in ColdFusion if you don't use it, see Adobe instructions.
Edit:  Its been a long 2 weeks dealing with these, if I've missed something, let me know in the comments.

Last Update: 2 July 2009 12:40 PM

5 comments - Posted by Brent Frye at 6:13 PM - Categories: ColdFusion | Security

Jun 27 2009

Spoofing MIME Types with ColdFusion and CFHTTP

Think your file uploads are secure? Think again. Using this very simple technique with ColdFusion installed locally, you can easily spoof the MIME type of any file and get it uploaded to another server, allowing any number of code exploits.

First, we're going to write a quick file upload script:

<cfform name='upload' action='uploadact.cfm' enctype='multipart/form-data' method='post'>
<cfinput type='file' name='FileUpload' required='yes' message='Select a file to upload.' /><br />
<cfinput type='submit' value='Upload File' name='submit' /> </cfform>

Notice this goes to an action page called uploadact.cfm which only accepts jpegs and gifs, this form actually handles the upload as follows:

<cfif isDefined('fileUpload')>
  <cffile action='upload'
     fileField='fileUpload'
     destination='C:\path\to\upload'
     accept='image/jpeg,image/gif'
     nameconflict='makeunique'>
     <p>Thankyou, your file has been uploaded.</p>
     <p><a href='/'>Return Home</a></p> </cfif>

Now for the fun part, we're going to write a page using cfhttp that would run on the attackers server/workstation that allows for files local to them to be uploaded by faking the MIME type with cfhttpparam:

<cfhttp url='http://example.com/uploadact.cfm' method='post'>
<cfhttpparam type='formfield' value='Upload File' name='submit'>
<cfhttpparam type='file' name='FileUpload' file='C:\Path\To\test.cfm' mimetype='image/jpeg'> </cfhttp>

Now with this we could upload an ASP or ColdFusion based web shell that would essentially give us unlimited access to a server.  So follow the following tips:

  1. If you have an Enterprise license, use Sandbox Security.  This will limit each site to its own set of directories and data sources.
  2. Disable cfexecute and cfregistry.  If you can use Sandboxes, do this for each Sandbox, or setup a global Sandbox on your main site's directory.  Remember with Sandboxes, if you absolutly need cfexecute, remember that you can setup a Sandbox for a single folder with access to it and put processing files in here (say to use FFMPEG for videos conversion).
  3. Disable JSP (Adobe Instructions) if you don't actually use it.  Since the default for ColdFusion is to run as System on Windows, any JSP file that makes its way to the server will have full access, and JSP's don't follow Sandboxes, so even if they are setup they are of no use.
  4. Run ColdFusion as another user (Adobe Instructions).  Obviously, running ColdFusion as a less privileged user will prevent total control of your server should something malicious get uploaded
  5. Always perform multiple checks on your file uploads (Pete Freitag has a good article on this)

0 comments - Posted by Brent Frye at 6:58 PM - Categories: ColdFusion | Security

Mar 23 2009

Jason Dean's Security Series

Jason over at 12Robots.com has been writing a really great series of articles about secure application development for quite some time.  Since I haven't seen them all in one index, I threw up links to all the articles on this page.

I'm pretty sure I got them all from Jason's site, but if I did just let me know in a comment.

0 comments - Posted by Brent Frye at 9:07 PM - Categories: Series | ColdFusion | Security

Previous Posts

Mar 16

ColdFusion Stops Serving After a Few Requests

0 comments - Posted by Brent Frye at 9:21 PM - Categories: ColdFusion | Server Administration |

Feb 6

cfimage CAPTCHA Timer already cancelled

0 comments - Posted by Brent Frye at 3:25 PM - Categories: ColdFusion |

Jan 24

ColdFusion Verity - Unable to create temporary file

0 comments - Posted by Brent Frye at 1:26 PM - Categories: Verity | ColdFusion |

Jan 17

cfimage CAPTCHA Not Displaying

0 comments - Posted by Brent Frye at 9:55 PM - Categories: ColdFusion | Server Administration |

Categories

Monthly Archives

Search Archives

Favorite Links

Friends

bias-potato
bias-potato