Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Curious Case of the Malicious IIS Module: Prologue (Method of Entry Analysis)

Earlier this week, SpiderLabs Research team released a blog post outlining analysis of a malicious IIS module that was able to scrape clear text credit card data in transit. This resulted in many news outlets reporting on the story and one included this quote:

"Online security firm Trustwave just won't stop scaring the sh** out of me."

The SpiderLabs Research Malware Analysis Team did an excellent job of describing the functionality of this IIS module backdoor. In this blog post, however, we will analyze the initial web application attack vector (Method of Entry) that was exploited which allowed the attackers to ultimately install the malicious IIS module.

Thanks to my colleagues in SpiderLabs IR/Forensics (Grayson Lenik and Jon Spruill) for assistance with this blog post.

Method of Entry Statistics

The following graphic shows the top "Method of Entry" items according to the Trustwave Global Security Report (GSR) 2013.

9095_49f72c48-16ee-43a2-bd09-d3c62be00319

These are the top vectors used to compromise sites according to the SpiderLabs Incident Response/Forensics investigations. The attack method used in the malicious IIS module case exploited a Remote Access vulnerability in Adobe's Cold Fusion application.

Adobe Cold Fusion RDS

ColdFusion RDS is described as:

ColdFusion RDS is a security component of ColdFusion Server used by the ColdFusion Administrator and ColdFusion Studio to provide remote HTTP-access to files and databases. You can use RDS to manage ColdFusion Studio access to files and databases on a server hosting ColdFusion.

ColdFusion RDS features include:

Secure server access, both basic and advanced
Data source browsing and SQL query building
Remote file access
CFML debugging

ColdFusion RDS basic security requires developers in ColdFusion Studio to supply a password which, when authenticated, permits access to files and database sources.

The list of robust features above make it an attractive target for attackers. As the last sentence describes, when attempting to directly access the Adobe Cold Fusion "cfcexplorer.cfc" page, a user would be promoted with the provision of an RDS or Admin password:

11606_c1647e4c-fa0a-45a7-b233-54d2a8c1931a

Adobe Cold Fusion RDS Remote Administration Attack (CVE-2013-0629)

The first attack attempt that was made against the target site was to check if the Cold Fusion application was vulnerable to CVE-2013-0629 which would allow the attacker to obtain the admin password or hash data.

9089_49a6a506-bc20-4678-be32-f779d979d76f

Attempt #1: Access the password.properties file

Here is a snippet taken from the victim site's IIS web server log file:

10118_7b007167-d611-475f-b893-f23d2b26975e

As described in the OSVDB vulnerability information, the attacker is attempting a directory traversal attack against the cfcexplorer.cfc page's path parameter in order to access the password.properties file. If this had worked, the attacker would have been presented with a page similar to the following:

8837_3cd1211a-5772-41d7-8dd0-9abe244ac77e

The attacker could then take the password HASH data and submit it in the RDS cfadminPassword field on the initial screen. In this case, however, the attack was unsuccessful so they moved onto a different variation.

Attempt #2: Accessing the CF Admin Parser Toolset

The attackers are able to bypass authentication and can access arbitrary files by passing data to the path parameter value. They next verify if they can access the ColdFusion Admin Parser Toolset:

10747_976e6e86-d489-4fd4-b9f5-0e21cbda26a3

Despite the returned 500 HTTP Status Code, they are able to access the parser.cfm file. They next send multiple requests to the parser.cfm page and pass Cold Fusion Markup Language (CFML) to the INPUTFILE parameter value.

10650_930f6445-d4f9-48e1-8f17-36e900743e45

The attacker is attempting to create a webshell backdoor using CFML data. Note that due to log line limits in the IIS log file, the complete contents of the INPUTFILE parameter payload is not shown. The parser.cfm program will attempt to parse the data passed to it via the INPUTFILE parameter and if there are any problems it will write error and stack information to the ColdFusion exception log (/logs/exception.log). In this scenario, the attackers need to review the exception log in order to identify the filename and location of their uploaded webshell backdoor. This is the next request attempt:

9548_5f7afde3-ad35-410f-95be-8f9b2ea1fc5b

Based on the details stack dump/error data listed in the exception.log file, the attackers were able to local their webshell backdoor (sysinfo_div0.cfm) and send the following request to access it:

12365_e7329bf3-982e-4695-a15c-34ab740e1912

CF Webshell Access

Here is a screenshot showing some of the funcationality of the webshell/backdoor.

11188_ad2af192-9afc-49fc-a79c-e4102e19e78f

As you can see, the webshell includes a "File Upload" feature that allowed the attackers to upload the malicious IIS module described in the inital blog post. Here we can see the attackers using a POST command to upload the IIS module:

8856_3dd0a0d2-2db2-4d0e-a95b-1058811f82d8

Once uploaded, the attackers where then able to use the CMD feature of the webshell to execute OS level commands and load/activate the malicious IIS module:

BSL_12355_e6cd6da0-a0bf-44f0-81bc-443650e5185d

8811_3b6505f3-4275-49ef-b4d3-ea7e16b7d7cb

Here's a Pastebin link to a similar CF webshell.

Security Recommendations

Mitigation Options

If you are running Cold Fusion applications, Adobe recommends the following Mitigation steps for this vulnerability:

ColdFusion customers using an unsupported version of ColdFusion (including ColdFusion 8.x and earlier) can take the following steps to mitigate these vulnerabilities:

  • Configure a username and password for Remote Development Services (RDS). These credentials should be different from the Administrator account. After configuring the username and password, users should disable RDS.
  • Disable external access to the following directories for all hosted sites:Remove any unknown or unnecessary ColdFusion components or templates from the CFIDE or webroot directories.
    • /CFIDE/administrator
    • /CFIDE/adminapi
    • /CFIDE/componentutils
  • Implement access control restrictions for the Administrator interface and internal applications via the Administrator Console (in ColdFusion version 10) or within your web server's access control mechanisms for versions 9.0.2 and below.
  • Ensure your ColdFusion product has the latest hotfix applied.
  • Refer to the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide for security best practices and further information on these hardening techniques.

Time-to-Patch Deficiencies

It is important to also highlight the criticality of having an expedited patching life-cycle. If you compare the data of vulnerability disclosure by Adobe (January 4, 2013) vs. the time of this particular attack (February 28, 2013), they target organization was compromised less than two months later. In this particular incident, the victim organization was aware of the vulnerability report by Adobe, however they were on a quarterly patching process and had not yet installed the patch. Deploying a Web Application Firewall (WAF) is an excellent method for minimizing the Time-to-Patch expsures for web application vulnerabilities. In this case, the victim organization did not have a WAF already deployed so actual software patching was their only option. In response to this incident, the victim organization updated CF sofware and deployed a WAF.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo