This guest post appears courtesy of one of my team mates, Jonathan Spruill, and shows some of the extremely cool work we get to do in our Incident Response practice at Trustwave's SpiderLabs.
Recently an investigation led me to research the
vulnerability described in the following CVEs: CVE-2013-0625, CVE-2013-0629,
CVE-2013-0631, and CVE-2013-0632. From
the Adobe Security Bulletin (http://www.adobe.com/support/security/bulletins/apsb13-03.html):
“vulnerabilities that could permit an unauthorized user to remotely circumvent
authentication controls, potentially allowing the attacker to take control of
the affected server”. This sounds
particularly ominous and in a moment we will see just how damaging the attack was
in this case. As with most e-Commerce
cases, this investigation relied very heavily on the review of web access
logs. Using basic tools to analyze the
log files, I quickly found the entries where the compromise occurred.
Here the attacker checked to see if the site has been compromised already. I found this source: https://www.it.cornell.edu/services/alert.cfm?id=2419&back=security
which indicated that h.cfm, help.cfm and others were
variations of the name used for a webshell in this attack.
Here the attacker accessed the page at the heart of this exploit. By accessing the administrator.cfc page using
with the specific options, the server returned the base64 encoded version of
the administrator password hash.
The attacker then passed this encoded and hashed password
back to the server. The server allowed access
to the mappings.cfm page without complaint.
I was puzzled for a bit as to why the attacker would go directly to this
page. In recreating the exploit, I
discovered that this page holds the path information the attacker would need to know in order to upload his malicious files.
The attacker accessed the page sheduleedit.cfm and created the task which would upload the malicious files.
In this step of the attack we presume the attacker has
generated the task to upload the webshell.
We must presume this is the case as there is no record of the successful
task creation in the web access logs, or any other log for that matter. By default, there is no logging enabled for
scheduled tasks.
An interesting feature of these scheduled tasks is that they
can be run either on a time schedule or launched directly. ColdFusion can be configured to use these
tasks to generate web content from static data sources. However, an attacker can arbitrarily load
any file from any location. In this case
the file uploaded was a webshell.
Here the attacker forced the newly created task to run.
And in the next transaction, the attacker deleted the task. This very effectively covered his tracks within the ColdFusion management interface, since, as mentioned previously, logging of scheduled tasks is not enabled by
default.
The last step in this sequence, the attacker accessed the
newly uploaded webshell. In the
postmortem analysis of the site’s codebase, I was able to find and further
examine the webshell.
The webshell was not encoded or obfuscated as we typically
see in our investigations. It includes a
fair bit of functionality: upload and download files, search for filename or
file content, and issue SQL queries. If
you are interested in the code used in the webshell, I found a copy on
pastebin: http://pastebin.com/2v3PMx4M
The conclusion of the investigation showed a customized
database scraping script was uploaded and successfully downloaded a significant
amount of card holder data.
Not quite satisfied with seeing the attack in the logs, I
wanted to further understand how this exploit worked. I was able to duplicate the attack in a test
environment using a browser and with the help of my new favorite proxy tool, ZAP
from OWASP, I could see in better detail the key data elements passed from
browser to server and back again. I
couldn’t help but feel that this was still not a best representation of the
attack seen in the logs. I first
searched all the typical places for a proof of concept to try in my test
environment. I exhausted my Google-Fu
with no success. Left with no other option I decided I would write it
myself.
So why would a forensics guy want to write an exploit? First, like folks who climb Mt. Everest,
because it’s there. Second, since I
couldn’t find an example of the exploit code, I wanted to see if there was
something else that could be learned and identified as an Indicator of Compromise (IOC) for future
investigations. Third, it gave me the
opportunity to work on my scripting skills and learn a few things along the
way.
Rather than post the script itself for all the kiddies to sponge up, here's a video demo of the exploit against a default install of ColdFusion 9.0.2.
The script duplicates the most important behavior in this attack, which is the POST request to scheduleedit.cfm, forcing a task to run, followed by immediately deleting the task. These IOCs along with unusual filenames, such as h.cfm, a.cfm, help.cfm or similar files in the /CFIDE directory should cause any web administrator to investigate their logs more closely. An interesting IOC missing from this attack is directory traversal as seen in other ColdFusion exploits.
As for mitigating the vulnerabilities, Adobe recommends setting a password for the RDS user account, preventing access to the CFIDE path, and applying the patch per APBS13-03. In my testing, setting the RDS password was sufficient to prevent this attack.