Cold Fusion web sites getting compromised

Cold Fusion web sites getting compromised
There have been a high number of Cold Fusion web sites being compromised in last 24 hours. We received several e-mails about this. It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server. The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients. What's interesting is that the group behind this is probably connected (if not the same) as the group that performed a lot of similar attacks back in March. I wrote several diaries about them – see http://isc.sans.org/diary.html?storyid=6001 and http://isc.sans.org/diary.html?storyid=6010 Back in March, once they gained access to the server, they used a local privilege escalation exploit for a vulnerability that was, at that time, unpatched. If your servers are up to date with Microsoft patches, the vulnerability has been patched but they still can modify local web site files in a lot of cases (and sometimes even more, depending on Cold Fusion's configuration). We'll be carefully monitoring the situation with this, of course. In the mean time, make sure that all applications you are running are up to date and fully patched. Another thing you might want to do is check for any old software you might have on your servers – it is very common for applications to leave old, vulnerable parts that are not used any more hanging around. And such applications are just waiting to be compromised. Thanks to Adam for giving us an early heads up. -- Bojan I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Baltimore Fall: Virtual Edition 2021	Bojan 400 Posts ISC Handler Jul 2nd 2009
Thread locked Subscribe	Jul 2nd 2009 1 decade ago
Here is an article with security tips for uploading files with ColdFusion: http://www.petefreitag.com/item/701.cfm	Anonymous
Quote	Jul 2nd 2009 1 decade ago
This article is slightly wrong but thankfully did point to the root of the problem. In CF 8 there is an embedded version of the FCKEditor which has a security vulnerability - you can read about it and the solution at http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat	Anonymous
Quote	Jul 3rd 2009 1 decade ago

There have been a high number of Cold Fusion web sites being compromised in last 24 hours. We received several e-mails about this.

It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server.

The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients.

What's interesting is that the group behind this is probably connected (if not the same) as the group that performed a lot of similar attacks back in March. I wrote several diaries about them – see http://isc.sans.org/diary.html?storyid=6001 and http://isc.sans.org/diary.html?storyid=6010

Back in March, once they gained access to the server, they used a local privilege escalation exploit for a vulnerability that was, at that time, unpatched. If your servers are up to date with Microsoft patches, the vulnerability has been patched but they still can modify local web site files in a lot of cases (and sometimes even more, depending on Cold Fusion's configuration).

We'll be carefully monitoring the situation with this, of course. In the mean time, make sure that all applications you are running are up to date and fully patched. Another thing you might want to do is check for any old software you might have on your servers – it is very common for applications to leave old, vulnerable parts that are not used any more hanging around. And such applications are just waiting to be compromised.

Thanks to Adam for giving us an early heads up.

--
Bojan

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Baltimore Fall: Virtual Edition 2021

Bojan

400 Posts
ISC Handler

Jul 2nd 2009

Here is an article with security tips for uploading files with ColdFusion: http://www.petefreitag.com/item/701.cfm

Anonymous

This article is slightly wrong but thankfully did point to the root of the problem. In CF 8 there is an embedded version of the FCKEditor which has a security vulnerability - you can read about it and the solution at http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat

Anonymous