Last Updated: 2009-07-03 09:35:14 UTC
by Bojan Zdrnja (Version: 2)
There have been a high number of Cold Fusion web sites being compromised in last 24 hours. We received several e-mails about this.
It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server.
The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients.
What's interesting is that the group behind this is probably connected (if not the same) as the group that performed a lot of similar attacks back in March. I wrote several diaries about them – see http://isc.sans.org/diary.html?storyid=6001 and http://isc.sans.org/diary.html?storyid=6010
Back in March, once they gained access to the server, they used a local privilege escalation exploit for a vulnerability that was, at that time, unpatched. If your servers are up to date with Microsoft patches, the vulnerability has been patched but they still can modify local web site files in a lot of cases (and sometimes even more, depending on Cold Fusion's configuration).
We'll be carefully monitoring the situation with this, of course. In the mean time, make sure that all applications you are running are up to date and fully patched. Another thing you might want to do is check for any old software you might have on your servers – it is very common for applications to leave old, vulnerable parts that are not used any more hanging around. And such applications are just waiting to be compromised.
Thanks to Adam for giving us an early heads up.
We received some additional information about this whole case with ColdFusion. It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting.
First, version 8.0.1 of Cold Fusion installs a vulnerable version of FCKEditor which is enabled by default. This is very bad news, of course, since the attacker can just directly exploit FCKEditor to upload arbitrary files on affected servers. Information on how to disable this is available on the ColdFusion web site at http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat
The second attack vector is again through vulnerable FCKEditor installations, but which are this time dropped through 3rd party application. One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion. Older versions of CFWebstore used vulnerable FCKEditor installations -- if you are using CFWebstore make sure that you are running the latest version and that any leftovers have been removed.