Before It Bytes!

Join us live on 8/25!

We will be live at 8pm Eastern, per usual.

Bryan Sartin joins us to discuss the 2010 Verizon Data Breach Report.  We will have our usual banter as well.

Use the links on the right side of the website to listen live!

The ColdFusion Directory Traversal vulnerability

There has been a lot of noise over the past week about the ColdFusion Directory Traversal Vulnerability.  If you haven’t heard, the basic issue is that ColdFusion allows the inclusion of just about any file on the server (usually Windows servers) to be included by using either a URL parameter or form parameter.  Without special encoding the vulnerability will let you grab any file ending in “.xml”, but by adding a “%00” to the parameter, just about any file gets included in the normal display of the ColdFusion Administrator login page.  This means that no authentication is required to pull this off.  The flaw is in the internationalization tags being used by the Administrator pages which include XML files to render the text for different languages in the CFAdmin section.  In turn the XML files aren’t really XML files, but instead are files containing large switch/case statements which, according to the arguments, spit out the value for the piece of text the XML file is called with.  The flaw is that the code calling the file uses user input to decide which file to grab, but doesn’t properly sanitize the request, allowing the inclusion of other files from the same disk the CFAdmin section is living on.  As Adrian Pastor points out, CF runs under the SYSTEM account by default, which means access to any file on the drive.  Including the CF configuration files which may include things like database connection settings (with passwords saved which can be decrypted easily).  Adrian also points out that once an attacker gains access to the CF Admin, it’s game over.

The patches provided by Adobe for the problem are quite simple, and in most cases shouldn’t even require a restart of the ColdFusion services.  The impact of the vulnerability is huge.  As Rafal Los, who rightfully calls this a “Disaster”, points out, there are a lot of ColdFusion servers with the Administrator pages available to the world.

Even worse, the vulnerability can be exploited on versions 6-9 (CFMX6, CFMX7, CF8, CF9), but Adobe is only releasing patches for versions 8 and 9.

Now for my confession.  I’ve been working with (and frustrated by) ColdFusion since version 4.5.  I understand how CF developers work, and how poorly the servers are administered in most installations.  In his post, Rafal Los offers some Google dorks for finding CF servers, and states that “There is really no legitimate reason to have a ColdFusion Admin interface on the public internet … really, I can’t think of one… yet there are many results!”.  So why are there so many results?

It is a combination of factors, laziness I’m sure being close to the top of the  list, but there are others.  The primary reason that comes to my mind is the location of the ColdFusion Administrator directory, inside of the “/CFIDE/” directory.  This directory has other directories inside of it which are used by CF for things like form validation, rendering of graphs, etc. and as such some applications stop working if the entire directory is locked down.  This means having the administrator (who may know nothing about ColdFusion) has to try to lock down the directories individually (in Adobe’s defense, the most recent version has a Lockdown Guide written by Pete Freitag which is well done).  I think the security of ColdFusion has suffered as a result of this mixture of programming functionality and server administration.

Another problem is those older versions for which no patch is forthcoming.  CF developers are very wary of changing the version of CF their application currently works on.  Much of this comes from a botched move by Macromedia a long time ago, when their first version of ColdFusion MX 6 (6.0.0) became notorious for breaking apps and eating resources.  This means that there are now a lot of old applications which are on old versions of CF.

Unfortunately, ColdFusion is starting (well, continuing) to look a lot like PHP for its reputation in security circles.  Like PHP, CFML is easy to pick up, and makes it very easy to write applications.  It also makes it very easy to write insecure applications.  Most CF sites are vulnerable to SQLi, XSS, and LFI, much like PHP.  Now with a vulnerability like this in the core of ColdFusion, I can’t say the reputation it is gaining isn’t deserved.

SecuraBit Episode 63: Walking to the Waffle House with Andy Willingham

SecuraBit Episode 63: Walking to the Waffle House with Andy Willingham
August 11, 2010
Anthony Gartner – @anthonygartner
Chris Gerling – @chrisgerling
Christopher Mills – @thechrisam
Jason Mueller – @securabit_jay
Andrew Borel –  @andrew_secbitGuests:
Andy Willingham (Southern Fried Security Podcast) – @andywillingham

General topics:
–Chris – experience this year, and a review of the medical facilities in Las Vegas
–General entertaining banter

Shiny Old VxWorks Vulnerabilities

Facebook name extraction based on email/wrong password

Apple Fixes PDF Vunerability that allowed webbased Jail Break.
iOS 4.0.2 Software Update

Interview with Andy Willingham
ShmooCon 2011 Dates Announced

Microsoft drops the patch bomb Malware and Unexpected Features

Free Android antivirus clocks up 2.5m downloads

A Review of Verizon and Google’s Net Neutrality Proposal

Upcoming events
South Florida ISSA’s Hack the flag and chili cook-off  Saturday August 14, 2010 from 12:00pm – 5:00pm
Hacker Halted Tim Is speaking October 14th
Louisivlle Infosec 10/7.
Atlanta B-Sides 10/8.
HacKid – 10/9-10/10
Phreaknic 10/15.

Chat with us on IRC at #securabit
iTunes Podcast –
iPhone App Now Available –

Microsoft drops the patch bomb

Well, the August 2010 Microsoft patches are out.  And man, are they out! 14 bulletins, 34 vulnerabilities. 8 rated critical. Countless reboots! There’s a lot to go through here, but here is some coverage which may help you evaluate this hot mess of patch:

Securing password resets in web apps

Recently a developer asked me about how he should perform password recovery in his new web app. The first recommendation I had was not to do recovery, but reset instead. I searched for some information aimed at developers on password reset functionality and was surprised at what I found. While I found a lot of information about what not to do, I didn’t find much now what should be done.

After pulling together some of the information I wrote this paper called “Securing Self-Service Password Reset Functionality in Web Applications” in an effort to help educate developers and provide some guidance for them when adding this type of feature to web applications.

Of course, any comments or suggestions are welcome!

Securing Self-Service Password Reset Functionality in Web Applications (pdf)

SecuraBit Episode 62: Visualizing Data with NetWitness

SecuraBit  Episode 62: Visualizing Data with NetWitness

Anthony Gartner  @anthonygartner
Chris Gerling @chrisgerling
Christopher Mills @thechrisam
Andrew Borel @andrew_secbit

Eddie Schwartz – @eddieschwartz

General topics:

Shmoocon Woot Video
NetWitness Visualize

Brief panel on certifications.

iPhone App Now Available.

Upcoming events
South Florida ISSA’s Hack the flag and chili cook-off  Saturday August 14, 2010 from 12:00pm – 5:00pm
Hacker Halted Tim Is speaking October 14th

Chat with us on IRC at #securabit
iTunes Podcast –
iPhone App Now Available –

Out-of-band patch for .LNK vulnerability

Microsoft has announced that they will be releasing an out-of-band patch for the .LNK vulnerability today (August 2nd), most likely due to the increased use of the vulnerability in malware such as the Stuxnet family (great write-up from Microsoft’s Malware Protection Center blog here). More (excellent) coverage is available at the Krebs On Security blog.

Update: Microsoft has published the advisory and patch. Details available here.

Interesting reports released

In an effort to make sure that those of us not attending the fun in Vegas are left out, a number of interesting security related reports have been released in the past week or so. In all the reports include a lot of data to be digested, but the takeaways from these seem to be:

  • Web App Security needs some work.
  • Privileged users can be dangerous
  • Organizations need to know what data they have and where
  • The information is in the logs, but no one is looking
  • Egress filtering is important
  • Malware is getting more sophisticated and customized

None of this is really news to infosec pros, but it may provide some fodder when explaining needs to management, as the reports contain hard numbers (and pretty graphs).

Here are some of the most recent reports:

Verizon 2010 Data Breach Investigations Report (DBIR)

The big news here is that the DBIR now includes data from the U.S. Secret Service, giving the folks at Verizon more data to work with. The report is very well put together and does a great job of presenting the data it contains, including pointing out where the new influx of data from the Secret Service has impacted the data making trends appear different than they have in past DBIRs. The report is available here.

Akamai State of the Internet Q1 2010

Akamai’s large global network certainly allows them to see a lot of traffic, both normal and malicious. Only the second section of the report deals directly with security, but the rest still makes interesting reading. In addition to attack traffic data, the report also contains information on global connection speeds, US connection speeds and mobile connection speeds. The report is available here (registration required).

Ponemone/ArcSight Cost of Cyber Crime Study

This study was sponsored by ArcSight, so there is a good amount of mention of SIEM systems and their benefits. The study still contains some interesting data on how much incidents can actually cost organizations (before, during and after an incident), with good information about the methodology used to arrive at the figures presented. The report is available here (registration required).

Digital Forensics Association “The Leaking Vault”

“The Leaking Vault” takes 5 years of data breach information taken from many different sources include FOIA requests, the Open Security Foundation, the Privacy Rights Clearinghouse, Sound Assurance, and the Identity Theft Resource Center. The result is a large amount of data which is sliced and presented in many different ways, providing some interesting incite into data breach notification (and the failures of them in some cases). The report is available here.

Cisco 2010 Midyear Security Report

The Cisco 2010 Midyear Security Report is less numbers focused than the reports listed above, but still interesting. The report is more focused on the changes in enterprises today and how those changes will impact security needs. This includes Mobile Devices, Virtualization and Cloud Computing, Social Media, and Government regulations. The report also includes information on worldwide spam volume. As an added bonus, the report also includes “The Artichoke of Attack” (page 21) which is by far my favorite graphic from any of these reports. The report is available here.