A recently patched vulnerability in Adobe's ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software.
In a bulletin published last week, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This directory traversal vulnerability could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems.
But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What's more, they said attackers can employ simple web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out.
“This attack can lead to a full system compromise, so let's make sure we're clear,” HP researcher Rafal Los wrote here. “It's not just that you can poke around the system files of the machine you've attacked (which is highly likely a MS Windows server); it's also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.”
One reason the vulnerability may have been rated critical is that attacks generally work only when ColdFusion administrative components are accessible over the public internet, something that's not considered a best practice. Los pointed to Google searchers here , here, here and here, which over the weekend generated “a lot of results.”
Around the same time, a hacker who goes by the name Carnal0wnage posted attack code that reliably exploits the vulnerability.
ColdFusion Directory Traversal FAQ (CVE-2010-2861)
Q. Is authentication required to exploit this vulnerability?
A. NO. The attacker doesn’t require knowledge of any passwords in order to exploit the directory traversal bug.
Q. What are the mitigating factors?
A. This vulnerability cannot be exploited on ColdFusion 9.X when default settings are used, unless of course you figure out a way to get around the directory traversal signatures used by the filtering routines. Additionally, the ColdFusion administrator login console must be available to the attacker. It is however quite common to find CF admin consoles directly available on the Internet. If a long and sufficiently random admin password is used, cracking the SHA1 hash could prove to be difficult. This is applicable to CF MX7, 8 and 9. Version 6 doesn’t hash the password, but instead encrypts it using a proprietary algorithm.