We haven’t often reported anything relating to ColdFusion, the application server from Adobe, most likely because it’s not a very prevalent hosting platform. It was quite popular earlier in the decade before PHP became so popular, the choices back then were early versions of ASP, JSP and CFM.
We’ve only posted one tool related to ColdFusion too which was – Wfuzz – A Tool for Bruteforcing/Fuzzing Web Applications.
Adobe seems to have tried to hide this one away and downgrade the severity of the exploit by classifying it as ‘important’ but not ‘critical’. Stating it could only lead to information disclosure via directory traversal. It seems however publicly released exploit code can utilise this vulnerability to take full control of any server running the unpatched version of ColdFusion.
A recently patched vulnerability in Adobe’s ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software.
In a bulletin published last week, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This directory traversal vulnerability could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems.
But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What’s more, they said attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out.
“This attack can lead to a full system compromise, so let’s make sure we’re clear,” HP researcher Rafal Los wrote here. “It’s not just that you can poke around the system files of the machine you’ve attacked (which is highly likely a MS Windows server); it’s also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.”
From what has been written about the flaw by researchers that have tested it out, it really should have been rated as critical. Plus the fact you can use some old school Google Hacking to find vulnerable servers means this could lead to some widespread mass defacements.
Well perhaps I shouldn’t really say mass defacements as there just aren’t that many servers running ColdFusion, and yes most of which are indeed running on Windows machines and most likely poorly maintained and not particularly secure Windows machines.
The bottom line, if you have any ColdFusion servers in your organization or within your realm of responsibility, get them patched ASAP.
One reason the vulnerability may have been rated critical is that attacks generally work only when ColdFusion administrative components are accessible over the public internet, something that’s not considered a best practice. Los pointed to Google searchers here , here, here and here, which over the weekend generated “a lot of results.”
Around the same time, a hacker who goes by the name Carnal0wnage posted attack code that reliably exploits the vulnerability.
Also over the weekend, hacker and penetration tester Adrian Pastor warned that attackers could exploit the vulnerability to login as a ColdFusion admin without needing to crack the cryptographic hash.
Adobe on Monday issued the following statement:
“The ColdFusion hotfix and security bulletin released on August 10, 2010 address a directory traversal vulnerability (CVE-2010-2861) that could lead to information disclosure (http://www.adobe.com/support/security/bulletins/apsb10-18.html). The vulnerability on its own has been rated as ”important” in accordance with the severity criteria available on the Adobe website at http://www.adobe.com/devnet/security/security_zone/severity_ratings.html. Because it is possible for a vulnerability to be exploited in combination with other factors that may impact the overall severity of an attack, Adobe always recommends users update their product installations in line with security best practices.”
To take complete control however the server admin would have had to ignore the ‘best-practice’ guidelines and allowed public access to administrative components of the ColdFusion server.
If you are interested you can find reliable exploit code here:
Source: The Register