NOTE: Please read my follow-up to this and the recent FCKEditor issues affecting ColdFusion, also if you’re using TinyMCE with the TinyBrowser plugin read this post as well.
There has been a recent outbreak of attacks on servers running the ColdFusion shopping cart CFWebstore, that is allowing the attackers to upload a ColdFusion variant of the C99 shell script. This is giving them full access to your server and it will get compromised if they get that file up there.
Here’s what they do:
- Using the /customtags/uploadfile.cfm page, they are spoofing the MIME type to upload index.cfm and image.cfm to /images/accounts directory – these are their web shells (think of them like control panels).
- After having these web shells uploaded, things can go one of several ways:
- If you have cfexecute/cfregistry enabled, they will likely attack you with wminotify, this allows them to log and send back home all passwords used to log into the server for remote administration. At this point, you should probably plan to build a new server because this level of compromise is pretty deep and you likely won’t clean it all up.
So, you’ve been attacked, cleaned things up/rebuilt a server or two, what now? According to the folks at CFWebstore, you need to modify the application.cfm file for your store with this code from their blog. EDIT: More detailed information from CFWebstore. Use the link, not posting it incase something is changed in it. Also, I would suggest upgrading to the newest version as fast as possible for your budget and resources, since version 6, according to CFWebstore, certain upload files in the customtags directory are no longer used and are removed from the code base.
Additional details about the attack:
- The shell contains many references to seraph, this is likely his/their blog in China
- It looks like one of seraph’s buddies, chanm is actually doing the attack as I’ve seen Windows users created with the name of chanm$.
- More info about wminotify.dll from Symantec
- Read through the comments on Ray Camden’s post about this issue which includes many details from various people’s experience with this attack
- The attacker is sometimes uploading a JSP file to get around the security layer in ColdFusion, which allows complete bypass of any Sandboxes you already had setup
While this is a specific attack on one application, the lessons learned can be applied to any web application:
- DO NOT blindly trust the MIME types that are sent by a browser, these are easily spoofed.
- DO upload outside you web root initially
- DO additional checks on uploaded files before pushing them live (file extensions should match, use functions like isImageFile() and isPDFFile() in ColdFusion, etc.)
- DO protect uploads with some sort of login (assuming your business rules preclude the public uploading content to your site)
- DO disable JSP handling in ColdFusion if you don’t use it, see Adobe instructions.
Edit: Its been a long 2 weeks dealing with these, if I’ve missed something, let me know in the comments.
Last Update: 2 July 2009 12:40 PM