14 DAY TRIAL // Security researchers claim the ColdFusion vulnerability recently disclosed and patched by Adobe should have a higher severity rating since it can also be used to entirely compromise systems.
One week ago, on August 10 Adobe released several security updates for its Flash Player, AIR, Flash Media Server and ColdFusion products.
The ColdFusion update addressed only one security issue, a directory traversal vulnerability, which Adobe marked as "Important" and said it can lead to information disclosure.
However, many security researchers, who looked at the flaw in the following days, do not completely agree with the company's assessment and think the vulnerability should have received a critical severity rating.
That is because in certain setups, which are not at all uncommon, it can be exploited to completely compromise the sever where a vulnerable ColdFusion installation runs.
Adrian Pastor, a white hat hacker and member of the GNUCITIZEN information security think tank, published an extensive FAQ on the issue.
In it he explains that the directory traversal vulnerability can be used to read configuration files containing the database login information and the administrative password.
The db access details are stored in a form that can easily be decrypted and the administrator password is hashed with the SHA1 function, which can be cracked; but that's not even necessary as it turns out.
For an attacker to be able to compromise the entire system, the ColdFusion admin console needs to be accessible from the Internet.
And, even if this setup is not the default one, some Google search queries can confirm that it's not that uncommon and there are a lot of installations exposed in this way out there.
Using a trick described in Pastor's FAQ an attacker could login in the console using only the SHA1 hash. Once in there, they could run a .CFM backdoor script allowing them to execute code with SYSTEM privileges.
At that point it's pretty much game over and the server can be considered completely compromised. It's worth mentioning that another hacker named Chris Gates, who uses the online moniker of carnal0wnage, has released a working Proof-of-Concept (PoC) exploit for this vulnerability, so targeting it should be trivial now.