1141111162611411111626 --- rot26 networks --- 1141111162611411111626 -- Attack: Remotely delete CF ACLs to circumvent security Affected Software: Cold Fusion 2.0 - 4.0 Authoritive Copy: http://www.rot26.net/rot26-99-09-02.txt Public Release Date: 09-02-99 Author: nnyat_private special thanks: andrewr, rfp, nocarrier, and mally. -- Brief Description of Attack: The Cold Fusion ACLs referenced from other scripts are like any other file and may be deleted via the RequestTimeout deletion attack described by kklinskyat_private in the recent l0pht advisory. Some ACL "protected" files include those which may view contents of files, upload new files to the system, and a raw code interpreter for remote execution of CF code which may contain tags for registry modification. Reproducing the Attack / Showing Vulnerability: Using the expression evaluator an attacker could back up the system logs for later comparison (upon attack) and modify via uploading to the server and moving the files. The attacker could then proceed to back up the expression evaluator (exprcalc.cfm specifically), also for later modification. For other attacks which will not be focused on, an attacker could also call sendmail.cfm without any arguements to return a system date time stamp as well as directory structures. For the attack, have the expression evaluator delete (as explained in the l0pht advisory) the ACL cfdocs/expeval/check_ip.cfm. Now delete the expression evaluator (exprcalc.cfm) and use openfile.cfm to upload a modded ACL along with a modded exprcalc.cfm. The modded exprcalc.cfm is pretty basic, simply remove all lines past the </HTML> . The final CFIF statement merely checks if the file is open and deletes it. Again use openfile.cfm to upload a renamed original exprcalc.cfm; this provides us with a convenient was to do a view/delete combo. For sake of future examples the name exprcal.cfm will be used. An attacker now has the ability to, among other things, execute raw code on the server, upload files at will, and delete files at will. Previously the eval.cfm file was restricted via the check_ip.cfm ACL. The modded check_ip.cfm contains the attackers IP as well as the default ACL restriction of 127.0.0.1. There are more ACLs to be attacked though. Have the original now renamed expression evaluator delete the second and third ACLs { /cfdocs/exampleapp/publish/admin/application.cfm and /cfdocs/exampleapp/email/application.cfm } Again use openfile.cfm to upload modded ACLs and some scripts to move them to their proper dirs. The ACL for the /cfdocs/exampleapp/email dir pretty much just needs to exist maybe containing a few spaces. Run the move scripts and now the admin and email dirs are owned. Either use the expression evaluator to delete the move scripts or mod the sample move scripts included. An attacker now has full access to the Administrator directory which contains a nice packaged system file upload utility so we don't have to go through the openfile dual exprcalc hassle. Plus we now have a convenient file read utility. For example: http://www.server.com/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini To facilitate Anonymous web browsing or to defeat localhost trust one may wish to upload httpclient.cfm which was found in Cold Fusion Application Server 3.x and mentioned in rfp's original advisory. Now the new logs may be retrieved, diff'd with the old ones, and modded to your delight. Note: For further owning, bo2k could easily be uploaded and installed. Conclusion: An attacker has the ability to execute raw code, modify the registry, view system files, act as a trusted host to such services as IIS, upload files, delete files, circumvent log files, circumentvent ACLs, and view web pages anonymously. Sample Code: check_ip.cfm modded code: < <CFIF #CGI.REMOTE_ADDR# IS NOT "127.0.0.1"> > <CFIF #CGI.REMOTE_ADDR# IS NOT "127.0.0.1" AND #CGI.REMOTE_ADDR# IS NOT "$attackers_ip"> application.cfm modded code: < <CFIF CGI.REMOTE_ADDR IS NOT "127.0.0.1"> > <CFIF CGI.REMOTE_ADDR IS NOT "127.0.0.1" AND CGI.REMOTE_ADDR IS NOT "$attackers_ip"> logfile-mover.cfm code: <CFFILE ACTION="Move" SOURCE="c:\inetpub\wwwroot\cfdocs\expeval\application.log" DESTINATION="c:\cfusion\log\"> <CFFILE ACTION="Move" SOURCE="c:\inetpub\wwwroot\cfdocs\expeval\webserver.log" DESTINATION="c:\cfusion\log\"> <CFFILE ACTION="Move" SOURCE="c:\inetpub\wwwroot\cfdocs\expeval\server.log" DESTINATION="c:\cfusion\log\"> The other move scripts may easily be derived from this one and having the scripts delete themselves would also be trivial. Fix: Restrict access to or preferably delete Cold Fusion sample files. These include but are certainly not limited to: /cfdocs/expeval/exprcalc.cfm /cfdocs/expeval/sendmail.cfm /cfdocs/expeval/eval.cfm /cfdocs/expeval/openfile.cfm /cfdocs/expeval/displayopenedfile.cfm /cfdocs/exampleapp/email/getfile.cfm /cfdocs/exampleapp/publish/admin/addcontent.cfm Note: Heed all warnings or none at all, if you merely delete exprcalc.cfm it may simply be reuploaded via openfile.cfm / displayopenedfile.cfm . Already Compromised?: Due to the nature of the previous attacks by rfp and kklinsky, if your /cfdocs/expeval/exprcalc.cfm is not found you MAY have already been attacked. Follow the fix warning above and also make sure your ACLs have not been tampered with. -nnyat_private -- An authoritive copy of this advisory may be found at: http://www.rot26.net/rot26-99-09-02.txt (c) rot26 networks -- ============================================= -- NNY (nnyat_private) rot26 networks (c) --
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:54 PDT