Entries Tagged as "Unofficial Updater 2"

File Integrity Checking CFIDE

So with the most recent attack on ColdFusion (detailed by Charlie Arehart, Part #1, Part #2) there was a comment left on the post that got me a bit concerned where the comment said all you had to do is search for h.cfm to remove the file placed by the attacker. My experience has been if an attacker has had access to the server there is no absolute way of knowing what they might have done, even with good log reconstruction. As I noted in my comment in one instance I have previously encountered a situation where an attacker put a file called fck_dialog_common.cfm into CFIDE/scripts/ajax/FCKeditor/editor/dialog/common. At first glance of the directory it looks right, but inactuallity it a file that was buried and hidden so the attacker could come back through it instead of the original entry point. 

The only way to know is to have a way of doing file integrity checks against a good known source. The initial attack that was posted to the Adobe forum was found because an intrustion detection system (IDS) alerted the administrator that a file had been written to CFIDE that was called h.cfm.

There are several types of IDS, the one that caught this type of attack was a host-based IDS. The most well known is Tripwire which is a commercial product, although there is an open source version on SourceForge. There is also another called OSSEC which is quite full featured, cross-platform, and open source. Now deploying a full host-based IDS can be complex and time consuming, since they have many more features than just file integrity checking.

You could manually write a script that traverse directories and creates MD5 or SHA-1 hashes of all the files, but there is a utility called md5deep and hashdeep that makes it easier and provides a way to compare directories against a list of known hashes. The utility is free and available for every OS that is out there.

Below is a listing of hashdeep hashsets that will validate CFIDE for ColdFusion 8.0.1, 9.0.1, and 9.0.2 patched through APSB12-21 using Unofficial Updater 2 on a clean install. Because Adobe has made the security hotfixes cumulative, it is possible to check CFIDE in various security patch revisions for given versions of ColdFusion. APSB12-21 was the last security hotfix for ColdFusion 8.0.1 and APSB12-26 did not modify any files in CFIDE. For ColdFusion 10 there is one for Update 6 (APSB12-26) but should be valid going all the way back to Update 4. It is possible to use the hashdeep hashsets for ColdFusion 8.0.1 and 9.0.1 going all the way back to APSB11-14 but it will report that CFIDE/adminapi/security.cfc and CFIDE/administrator/security/_cffunctionsoptions.cfm do not match since they where changed in APSB12-21. Since Unofficial Updater 2 does not run against ColdFusion 8.0.0 or 9.0.0 there are no hashdeep hashsets for those versions. The hashsets are OS specific for Windows and Unix/Linux/Mac OS X since it seems hashdeep does not translate between \ and / for paths.

Hash SetMD5 Hash
CFIDE-CF801-patched-APSB12-21-unix.txt a5e0c09ba46f3454b1274520dd1d51c5
CFIDE-CF801-patched-APSB12-21-win.txt baa69cc859612d86b044e4c2dd177b5b
CFIDE-CF901-patched-APSB12-21-unix.txt a29865a0d5f7148e05b0fd297996ffe5
CFIDE-CF901-patched-APSB12-21-win.txt f97d974f59fab2fa655b46d87e783d76
CFIDE-CF902-patched-APSB12-21-unix.txt 7b8f046f4526530335c08ba053e4fd1f
CFIDE-CF902-patched-APSB12-21-win.txt 254143a19f50b104bdae67ee1c3a8cf6
CFIDE-CF10U6-patched-APSB12-26-unix.txt 52e5b6cc7d761e3d161b4d4d2f7fdc98
CFIDE-CF10U6-patched-APSB12-26-win.txt d9ec43aa354b6f2f76cc1052bd300f0c

To check your CFIDE against the hashdeep hash for your version, you need install hashdeep and to go to the directory above CFIDE as shown below (Windows):

cd \ColdFusion9\wwwroot
hashdeep -k c:\temp\CFIDE-CF901-patched-APSB12-21-win.txt -l -a -v -v -r CFIDE

The -k tells hashdeep to compare against a file that has the hashes, -l is for relative path, -a is for audit mode, the double -v is so the audit reports the files that failed the audit along with the audit statistics, and -r is recursive.

To create your own hashes:

cd \ColdFusion9\lib
hashdeep -l -r *.jar > c:\temp\cfusion-lib-jars.txt

This will create a hashdeep hash file of all the jar files which can be used to check against.

Now it is possible to make a poor-man's IDS with hashdeep if you create a script that runs through an OS scheduled task and emails if a file check fails. Also note that this is all done command line on the OS. The reason is that you do not want the integrity checking dependent upon any part of the web stack (web server, applications server) that could be attacked. 

I am looking into how to integrate hashdeep with Unofficial Updater 2, so that when the updater is run it can report if it finds something that shouldn't be there. Hopefully Adobe puts something like this into the Automatic Updater that is in ColdFusion 10. Also since Adobe has announced with security advisory APSA13-01 that there will be a security patch to fix this on January 15, 2013, I do plan on getting Unofficial Updater 2 updated that day so it applies the new security patch for ColdFusion 9.0.1 and 9.0.2.

No Comments

Final update to Unofficial Updater 2 for ColdFusion 8.0.1 (APSB12-21)

Well, the long nightmare known as patching Adobe ColdFusion 8.0.1 is now over. With the release of APSB12-21 last week and core support ending on July 31 for ColdFusion 8 there will be no more security hot fixes released for it (noted at the bottom of the technote). Over 5 years there were 28 hot fixes and 4 cumulative hot fixes (CHF) released for ColdFusion 8.0.1 (hot fix matrix)

Additional changes to Unofficial Updater 2

Unofficial Updater 2 now supports ColdFusion 9.0.2 since APSB12-21 needs to be applied to it as well and there is no easy way to do it since the Hotfix Update functionality in ColdFusion 10 doesn't seem like it will get back ported any time soon.

UU2 will now try to write and then delete a text file to the directories supplied. This is done before any of the updates are even applied to the system. If test fails in any of the directories, UU2 will stop and report the directory it couldn't work with. This should hopefully resolve several of the "Unable to expand" errors that have been noted as issues and not leave ColdFusion in an indeterminate state of patches applied.

New disclaimer #7 which points to Charlie Arehart's cf411.com listing of CF-Oriented Troubleshooting Consultants. Since it UU2 cannot deal with all possible configurations, it really might be necessary to engage with a consultant to make sure ColdFusion is properly patched.

Final Thoughts

I have been asked if I would consider modifying UU2 to patch ColdFusion MX 7. I looked at what it would take and it really isn't worth the effort. Adobe ended core support on 2/7/2010 and extended support on 2/7/2012 for ColdFusion MX 7. If you are still on such an old version, you really need to just upgrade or migrate over to Railo.

Lastly, thank you to everyone that continues to provide feedback and uses Unofficial Updater 2, the previous release was downloaded over 720 times from github.

3 Comments

More Updates to Unofficial Updater 2

It is nice that Adobe has moved to a regular release cycle of security hotfixes for ColdFusion 8.0.1 and 9.0.1. It is making my job easier to maintain Unofficial Updater 2. There have been quite a few changes besides just updating for the latest security hotfix. Below is a detailed change log since the last release. 

Application of APSB12-15

On June 12th, Adobe released APSB12-15 which is a security hotfix for ColdFusion 9.0.1 and earlier. UU2 now applies the hotfix as specified in Section 2 of the documentation.

Process Termination and Automated Command Line Installs

While using AntInstaller has been a great way to package and distribute UU2 it does have a downside in that it is not actively maintained and still has quite a few bugs. One of them which I never noticed was that on Windows and some Linux installs when running in text mode it never properly termininated the process when it was finished. This has been fixed by patching the AntInstaller code and creating a custom build for UU2.

One of the nice features that AntInstaller has is the ability to allow for automated installs which is now available to use for UU2. The first time you run UU2 you must select Yes to Enable cmdline automation. By selecting Yes, UU2 will allow for an additional run type of text-auto which will tell UU2 to look for ant.installer.properties file to use for the values to run with.

It is recommended to run UU2 once with text to create the ant.installer.properties file that can be used on subsequent text-auto runs.

Logging and File Ownership

So logging of what happened when UU2 ran was never quite straight forward. It relied upon both the Output and Errors tabs in the GUI or output to console in text mode. While both of those are still there, UU2 will now write a log in the current directory where UU2 is run called uu2-{datetime-stamp}.log which will log everything into a single place.

When running on UU2 on Linux/Unix, I never provided any guidance on whether it should be run as root or as the user that ColdFusion runs as. This was intentional since the administrator would be the best one to know. There are trade-offs to both. Running as root requires going back and making sure ownership and permissions of new files are correct. Running as a non-root user, one might encounter a failure due to inadequate permissions.

UU2 now identifies the user it is running as. If it is running as root, it will now change ownership of files to the ColdFusion user. If it is running as a non-root user, it will display a warning that it might encounter problems. In either case you should verify that ownership and permissions of the files are correct.

ColdFusion 8.0.1 Build 196946

So I encountered this at work. We upgraded several ColdFusion 8.0.0 servers to 8.0.1 that were on RedHat and then went to run UU2 on them to patch them which promptly failed. Apparently Adobe created another build number, 196946, that was in the ColdFusion 8 Update 1 for Linux that didn't follow the official published build number 195765. Since UU2 (and I) didn't know about it, UU2 properly failed. UU2 now can identify this build and properly patch it. The fun thing is that when you run cfinfo in this configuration it reports 8,0,1,196946 but 8,0,1,195765 in the ColdFusion Administrator when fully patched. Just an insight into Adobe's code since one would think the version number would be a constant.

Wrap-up

I'd like to thank Steve Dean for suggestion for the automated installs and working through test builds. Also need to thank Scott Stroz for suggestions on logging, Linux/Unix install procedure, and github pull request. This tool is really a combination of everyone that uses it and feedback for how to make it better. I do ask that if you encounter problems with UU2 to please email me or submit an issue on github.

No Comments

Update to APSB12-06 and Unofficial Updater 2

 

So last Thursday (March 29th) Adobe published an update to APSB12-06 to address a defect introduced that prevented file uploads from working properly on ColdFusion 8.0.1, see the Adobe forum post for details. I have just updated Unofficial Updater 2 to apply the corrected files for ColdFusion 8.0.1.

So, good they fixed the issue, but my problem with Adobe lays with how they comunicate the change. I didn't even know there was an update until I saw a post aggregated on ColdFusionBloggers.org from the Adobe ColdFusion Blog. I am signed up to Adobe's Security Notification Service, but I have never seen a notification come in regarding ColdFusion. And when you go to the updated ColdFusion Security Hotfix APSB12-06 where is the information that it has been updated, at the BOTTOM of the page. But at least it was updated, that counts for something right?

The next fun thing is that Adobe is not consistently publishing the files associated with the technote. The original files and the non-updated files are linked from http://helpx.adobe.com/content/dam/kb/en/930/cpsid_93043/attachments/ where as the updated ones for CF801 are at http://helpx.adobe.com/content/dam/help/attachments/. It is still possible to download the "broken" CF801 files. Seems to me the updated CF801 files should have been put at the original published URL and overwritten the "broken" CF801 files. Minor details.

And everyone is pointing to ColdFusion 10's server update (auto hotfix managment) as the cure to all of this, but I don't think it will be the panacea everyone thinks it will be. Over the last four security hotfixes that Adobe has released, three of them have been updated atleast once to fix bugs that were introduced by it. APSB11-04 once, APSB11-14 - twice, APSB12-06 - once. Just not feeling good about the Adobe QA process these days. 

The only true fix for this mess is for Adobe to produce annual updates that are fully tested and packaged installers. I really doubt it will ever happen for ColdFusion 8.0.1 since it has been over 4 years since the last updater and ColdFusion 8 core support is ending on July 31, 2012.


 

No Comments

Unofficial Updater 2 Updates (APSB12-06)

There have been several updates to Unofficial Updater 2 over the past few days.

  • Support for APSB12-06
    • Adobe truely seems to be getting on a quarterly release schedule for ColdFusion security updates since the last one, APSB11-29, was released on December 13, 2011
    • Given that the last few have been cumulative, UU2 now just applies the latest one following the Section 2 instructions
  • UU2 only needs to be run once with an Internet connection
    • This was a suggestion from Adrian Moreno and was something I had been thinking about doing for a bit
    • On the first run, UU2 will download all the hotfixes and security bulletins for both ColdFusion 8.0.1 and 9.0.1 from Adobe and then pack them into Unofficial-Updater2-with-downloads.jar which can be run later. This was done since UU2 can not directly package the updates from Adobe
    • UU2 will also create unofficial-updater2.txt in <cfusion-home>/lib/updates which will contain the date that UU2 was run and the date the files were downloaded from Adobe
  • Updates for download URLs that Adobe changed
  • Wiki updates

The latest installer is available for download from github.

6 Comments