Remotely delete CF ACLs to circumvent security

[nny () LOCK ROT26 NET (nny)]

1141111162611411111626
--- rot26 networks ---
1141111162611411111626

--

Attack: Remotely delete CF ACLs to circumvent security
Affected Software: Cold Fusion 2.0 - 4.0
Authoritive Copy: http://www.rot26.net/rot26-99-09-02.txt
Public Release Date: 09-02-99

Author: nny () rot26 net

special thanks: andrewr, rfp, nocarrier, and mally.

--

Brief Description of Attack:

The Cold Fusion ACLs referenced from other scripts are like any other
file and may be deleted via the RequestTimeout deletion attack described
by kklinsky () themerge com in the recent l0pht advisory. Some ACL
"protected" files include those which may view contents of files, upload
new files to the system, and a raw code interpreter for remote execution
of CF code which may contain tags for registry modification.

Reproducing the Attack / Showing Vulnerability:

Using the expression evaluator an attacker could back up the system logs
for later comparison (upon attack) and modify via uploading to the server
and moving the files. The attacker could then proceed to back up the
expression evaluator (exprcalc.cfm specifically), also for later
modification. For other attacks which will not be focused on, an attacker
could also call sendmail.cfm without any arguements to return a system
date time stamp as well as directory structures.

For the attack, have the expression evaluator delete (as explained
in the l0pht advisory) the ACL cfdocs/expeval/check_ip.cfm. Now delete
the expression evaluator (exprcalc.cfm) and use openfile.cfm to upload a
modded ACL along with a modded exprcalc.cfm. The modded exprcalc.cfm is
pretty basic, simply remove all lines past the </HTML> . The final CFIF
statement merely checks if the file is open and deletes it. Again use
openfile.cfm to upload a renamed original exprcalc.cfm; this provides
us with a convenient was to do a view/delete combo. For sake of future
examples the name exprcal.cfm will be used. An attacker now has the
ability to, among other things, execute raw code on the server, upload
files at will, and delete files at will. Previously the eval.cfm file
was restricted via the check_ip.cfm ACL. The modded check_ip.cfm contains
the attackers IP as well as the default ACL restriction of 127.0.0.1.

There are more ACLs to be attacked though. Have the original now renamed
expression evaluator delete the second and third ACLs
{ /cfdocs/exampleapp/publish/admin/application.cfm and
/cfdocs/exampleapp/email/application.cfm }
Again use openfile.cfm to upload modded ACLs and some scripts to move them
to their proper dirs. The ACL for the /cfdocs/exampleapp/email dir pretty
much just needs to exist maybe containing a few spaces. Run the move
scripts and now the admin and email dirs are owned. Either use the
expression evaluator to delete the move scripts or mod the sample move
scripts included. An attacker now has full access to the Administrator
directory which contains a nice packaged system file upload utility so we
don't have to go through the openfile dual exprcalc hassle. Plus we now
have a convenient file read utility.

For example:
http://www.server.com/cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini

To facilitate Anonymous web browsing or to defeat localhost trust one may
wish to upload httpclient.cfm which was found in Cold Fusion Application
Server 3.x and mentioned in rfp's original advisory.

Now the new logs may be retrieved, diff'd with the old ones, and modded
to your delight.

Note: For further owning, bo2k could easily be uploaded and installed.

Conclusion:

An attacker has the ability to execute raw code, modify the registry,
view system files, act as a trusted host to such services as IIS,
upload files, delete files, circumvent log files, circumentvent ACLs,
and view web pages anonymously.

Sample Code:

check_ip.cfm modded code:

< <CFIF #CGI.REMOTE_ADDR# IS NOT "127.0.0.1">

> <CFIF #CGI.REMOTE_ADDR# IS NOT "127.0.0.1" AND #CGI.REMOTE_ADDR# IS NOT
"$attackers_ip">

application.cfm modded code:

< <CFIF CGI.REMOTE_ADDR IS NOT "127.0.0.1">

> <CFIF CGI.REMOTE_ADDR IS NOT "127.0.0.1" AND CGI.REMOTE_ADDR IS NOT
"$attackers_ip">

logfile-mover.cfm code:

<CFFILE ACTION="Move"
   SOURCE="c:\inetpub\wwwroot\cfdocs\expeval\application.log"
   DESTINATION="c:\cfusion\log\">
<CFFILE ACTION="Move"
   SOURCE="c:\inetpub\wwwroot\cfdocs\expeval\webserver.log"
   DESTINATION="c:\cfusion\log\">
<CFFILE ACTION="Move"
   SOURCE="c:\inetpub\wwwroot\cfdocs\expeval\server.log"
   DESTINATION="c:\cfusion\log\">

The other move scripts may easily be derived from this one and having the
scripts delete themselves would also be trivial.

Fix:

Restrict access to or preferably delete Cold Fusion sample files. These
include but are certainly not limited to:

/cfdocs/expeval/exprcalc.cfm
/cfdocs/expeval/sendmail.cfm
/cfdocs/expeval/eval.cfm
/cfdocs/expeval/openfile.cfm
/cfdocs/expeval/displayopenedfile.cfm
/cfdocs/exampleapp/email/getfile.cfm
/cfdocs/exampleapp/publish/admin/addcontent.cfm

Note: Heed all warnings or none at all, if you merely delete exprcalc.cfm
it may simply be reuploaded via openfile.cfm / displayopenedfile.cfm .

Already Compromised?:

Due to the nature of the previous attacks by rfp and kklinsky, if your
/cfdocs/expeval/exprcalc.cfm is not found you MAY have already been
attacked.
Follow the fix warning above and also make sure your ACLs have not been
tampered with.

-nny () rot26 net

--

An authoritive copy of this advisory may be found at:
http://www.rot26.net/rot26-99-09-02.txt

(c) rot26 networks

--
=============================================
-- NNY  (nny () rot26 net)      rot26 networks (c) --