COMMAND
Cold Fusion
SYSTEMS AFFECTED
All platforms
PROBLEM
Following is based on L0pht Security Advisory by Weld Pond.
Although this vulnerability has been known for a while L0pht
thinks it is worse than originally thought. Users can upload and
potentially execute files on the web server. Furthermore, few
sites seem to have fixed the problem. Major commercial,
government, and military sites have been found to still be
vulnerable.
In issue 54, volume 8 of Phrack Magazine dated December 25, 1998,
rain.forest.puppy describes a security problem with installations
of Cold Fusion Application Server when the online documentation is
installed. The online documentation is installed by default.
According to Phrack, the vulnerability allows web users to view
files anywhere on the server. On February 4, 1999, Allaire posted
a fix on their web site and also recommend that documentation not
be stored on production servers. They also acknowledge that the
hole allows web users to read and also delete files on the server.
The patch successfully fixes the problem if you decide to keep the
documentation on the server. In examining an unpatched Cold
Fusion Application Server it became apparent that in addition to
reading and deleting files, web users also have the ability to
upload (potentially executable) files to the server. A cursory
survey of many large corporate and e-commerce sites using Cold
Fusion turned up many vulnerable servers. The purpose of this
advisory is to stress how important it is to use the patch that
Allaire provides or take other measures to prevent web users from
accessing this security hole.
By default, the Cold Fusion application server install program
installs sample code as well as online documentation. As part of
this collection is a utility called the "Expression Evaluator".
The purpose of this utility is to allow developers to easily
experiment with Cold Fusion expressions. It is even allows you to
create a text file on your local machine and then upload it to the
application server in order to evaluate it. This utility is
supposed to be limited to the localhost. There are basically 3
important files in this exploit that any web user can access by
default:
/cfdocs/expeval/openfile.cfm
/cfdocs/expeval/displayopenedfile.cfm
/cfdocs/expeval/exprcalc.cfm
The first one lets you upload a file via a web form. The second
one saves the file to the server. The last file reads the
uploaded file, displays the contents of the file in a web form and
then deletes the uploaded file. The Phrack article and the
advisory from Allaire relate to "exprcalc.cfm". A web user can
choose to view and delete any file they want. To view and delete
a file like "c:\winnt\repair\setup.log" you would use a URL like:
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log
This exploit can be taken a step further. First go to:
http://www.server.com/cfdocs/expeval/openfile.cfm
Select a file to upload from your local machine and submit it.
You will then be forwarded to a web page displaying the contents
of the file you uploaded. The URL will look something like:
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt
Now replace the end of the URL where it shows ".\myfile.txt" with
"ExprCalc.cfm". Going to this URL will delete "ExprCalc.cfm" so
that web users can now use "openfile.cfm" to upload files to the
web server without them being deleted. With some knowledge of Cold
Fusion a web user can upload a Cold Fusion page that allows them
to browse directories on the server as well as upload, download
and delete files. Arbitrary executable files could placed
anywhere the Cold Fusion service has access. Web users are not
restricted to the web root. Frequently, Cold Fusion developers
use Microsoft Access databases to store information for their web
applications. If the described vulnerability exists on your
server, these database files could potentially be downloaded and
even overwritten with modified copies. The most concerning aspect
of this vulnerability is that with a text editor and a web
browser, web users are able to download password files, other
confidential information and even upload executable files to a
web server.
"hYP0[13/\\r" made scanner to test if servers are susceptable to
the l0pht Cold Fusion advisory:
/*
COLD FUSION VULNERABILITY TESTER - Checks for the l0pht advisory
"Cold Fusion Application Server Advisory" dated 4.20.1999
you can find a copy of this advisory and all other
l0pht Security Advisories here:
http://www.l0pht.com/advisories.html
much of this program was blatently copied from the cgi scanner
released about a week ago, written by su1d sh3ll... I just want
to give credit where credit is due... this particular scanner
was "written" (basically modified) by hypoclear of lUSt - Linux
Users Strike Today... I know that it is trivial to check to see
if a server is vulnerable, but I had fun doing this so who the
heck cares if I want to waste my time...
compile: gcc -o coldscan coldscan.c
usage: coldscan host
tested on: IRIX Release 5.3 (this should compile on most *NIX systems though)
*/
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
void main(int argc, char *argv[])
{
int sock,debugm=0;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
int count=0;
int numin;
char cfbuff[1024];
char *cfpage[5];
char *cfname[5];
cfpage[1] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n";
cfpage[2] = "GET /cfdocs/expeval/displayopenedfile.cfm HTTP/1.0\n\n";
cfpage[3] = "GET /cfdocs/expeval/exprcalc.cfm HTTP/1.0\n\n";
cfname[1] = "openfile.cfm ";
cfname[2] = "displayopenedfile.cfm ";
cfname[3] = "exprcalc.cfm ";
if (argc<2)
{
printf("\n-=COLD FUSION VULNERABILITY TESTER=-");
printf("\nusage - %s host \n",argv[0]);
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
printf("\n-=COLD FUSION VULNERABILITY TESTER=-\n");
printf("scanning...\n\n");
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
while(count++ < 3)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("Searching for %s : ",cfname[count]);
for(numin=0;numin < 1024;numin++)
{
cfbuff[numin] = '\0';
}
send(sock, cfpage[count],strlen(cfpage[count]),0);
recv(sock, cfbuff, sizeof(cfbuff),0);
cgistr = strstr(cfbuff,foundmsg);
if( cgistr != NULL)
printf("Exists!\n");
else
printf("Not Found\n");
close(sock);
}
}
SOLUTION
Allaire has posted a patch to this vulnerability. This is
currently available at:
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full
In addition to this, it is recommended that the documentation and
example code not be stored on production servers.