So with the most recent attack on ColdFusion (detailed by Charlie Arehart, Part #1, Part #2) there was a comment left on the post that got me a bit concerned where the comment said all you had to do is search for
h.cfm to remove the file placed by the attacker. My experience has been if an attacker has had access to the server there is no absolute way of knowing what they might have done, even with good log reconstruction. As I noted in my comment in one instance I have previously encountered a situation where an attacker put a file called
CFIDE/scripts/ajax/FCKeditor/editor/dialog/common. At first glance of the directory it looks right, but inactuallity it a file that was buried and hidden so the attacker could come back through it instead of the original entry point.
The only way to know is to have a way of doing file integrity checks against a good known source. The initial attack that was posted to the Adobe forum was found because an intrustion detection system (IDS) alerted the administrator that a file had been written to CFIDE that was called
There are several types of IDS, the one that caught this type of attack was a host-based IDS. The most well known is Tripwire which is a commercial product, although there is an open source version on SourceForge. There is also another called OSSEC which is quite full featured, cross-platform, and open source. Now deploying a full host-based IDS can be complex and time consuming, since they have many more features than just file integrity checking.
You could manually write a script that traverse directories and creates MD5 or SHA-1 hashes of all the files, but there is a utility called md5deep and hashdeep that makes it easier and provides a way to compare directories against a list of known hashes. The utility is free and available for every OS that is out there.
Below is a listing of hashdeep hashsets that will validate CFIDE for ColdFusion 8.0.1, 9.0.1, and 9.0.2 patched through APSB12-21 using Unofficial Updater 2 on a clean install. Because Adobe has made the security hotfixes cumulative, it is possible to check CFIDE in various security patch revisions for given versions of ColdFusion. APSB12-21 was the last security hotfix for ColdFusion 8.0.1 and APSB12-26 did not modify any files in CFIDE. For ColdFusion 10 there is one for Update 6 (APSB12-26) but should be valid going all the way back to Update 4. It is possible to use the hashdeep hashsets for ColdFusion 8.0.1 and 9.0.1 going all the way back to APSB11-14 but it will report that
CFIDE/administrator/security/_cffunctionsoptions.cfm do not match since they where changed in APSB12-21. Since Unofficial Updater 2 does not run against ColdFusion 8.0.0 or 9.0.0 there are no hashdeep hashsets for those versions. The hashsets are OS specific for Windows and Unix/Linux/Mac OS X since it seems hashdeep does not translate between \ and / for paths.
To check your CFIDE against the hashdeep hash for your version, you need install hashdeep and to go to the directory above CFIDE as shown below (Windows):
hashdeep -k c:\temp\CFIDE-CF901-patched-APSB12-21-win.txt -l -a -v -v -r CFIDE
The -k tells hashdeep to compare against a file that has the hashes, -l is for relative path, -a is for audit mode, the double -v is so the audit reports the files that failed the audit along with the audit statistics, and -r is recursive.
To create your own hashes:
hashdeep -l -r *.jar > c:\temp\cfusion-lib-jars.txt
This will create a hashdeep hash file of all the jar files which can be used to check against.
Now it is possible to make a poor-man’s IDS with hashdeep if you create a script that runs through an OS scheduled task and emails if a file check fails. Also note that this is all done command line on the OS. The reason is that you do not want the integrity checking dependent upon any part of the web stack (web server, applications server) that could be attacked.
I am looking into how to integrate hashdeep with Unofficial Updater 2, so that when the updater is run it can report if it finds something that shouldn’t be there. Hopefully Adobe puts something like this into the Automatic Updater that is in ColdFusion 10. Also since Adobe has announced with security advisory APSA13-01 that there will be a security patch to fix this on January 15, 2013, I do plan on getting Unofficial Updater 2 updated that day so it applies the new security patch for ColdFusion 9.0.1 and 9.0.2.