EMail Injection Attack

[hofar...@houseoffusion.com]

Hi All -

Recently we've been under a email injection attack where we have unauthorized emails being sent through our coldfusion application. At this point we are unsure if it is through an email injection attack or not but if anybody has any advice on how to figure out where the attack is coming from it would be very helpful.

My first question is - is there a way to trace back to which page cfmail is being called from? Are there any logs that I can view that would allow us to track down what pages are being hijacked?

Much appreciated, thanks!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359129

[hofar...@houseoffusion.com]

Can you explain a bit more what you mean by email injection attack? Do you mean someone is spamming forms that generate forms email, or is someone using some application you have to generate spam? Can you provide a slightly better explanation of what's happening?


Robert Harrison
Director of Interactive Services

Austin & Williams
Advertising I Branding I Digital I Direct  
125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788
T 631.231.6600 X 119   F 631.434.7022  
http://www.austin-williams.com

Blog: http://www.austin-williams.com/blog
Twitter: http://www.twitter.com/austin_

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359130

[hofar...@houseoffusion.com]

Hi Robert - Thanks for the reply, yes of course let me explain a bit more.

While checking our sent mail logs, logged by coldfusion, we noticed emails were being sent out that was not directly sent through our own pages. Spam emails that were sent to different outside emails.

So we can see that spam emails were sent outbound, but as of yet, we have no source of where they're coming from (ie. which pages are compromised).

From what I've been researching, one way this is done by email inject - where they use form submissions to inject their own coldfusion code to form their own 'cfmail' sends. http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm

Please let me know if you need additional info

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359131

[hofar...@houseoffusion.com]

Make sure the cfmail option for logging sent mail is enabled via the
CFAdmin. This will tell you if CF is actually sending the mail. The log
file will be in your CF root under logs. I think it's mailsent.log.

Most likely one of two things.

You have a web form that sends through another template using the cfmail
tag which does no "human" checking, like a Captcha or checking the delay
between page load and send request.

Or you have an open relay with the mail server that is being used by CF to
send mail, and CF is not actually the issue. Your mail server logs can log
this, log location will vary based on the server used. There are several
online tools to check if your mail server has an open relay.

http://mxtoolbox.com/diagnostic.aspx

~Byron

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359132

[hofar...@houseoffusion.com]

Do you have admin control of this server or is it a shared host? If its a
server you control then its a simple matter to lock down the mail server,
right? Require smtp auth for all senders and then use smtp auth in your
cfmail statements in your code. That would be just step 1 of a hardening
process that should have more than this layer to it.

I realize this doesn't bear on your discovery question but if this is
happening at all it points to a hole in security in at least one place.
And if its a shared host then the situation may not be in your control in
the first place.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359133

[hofar...@houseoffusion.com]

No really good way in CF logs that I know to see the actual file that sent
the CFMail.

Might be able to correlate your web server access logs to the cf mail sent
log with the timestamp.

Most of the time attacks like this will be all at once, so it should be
fairly easy to see in the web logs.

~Byron

On Mon, Aug 18, 2014 at 4:12 PM, G T <tran....@gmail.com> wrote:

>
> Hi Robert - Thanks for the reply, yes of course let me explain a bit more.
>
> While checking our sent mail logs, logged by coldfusion, we noticed emails
> were being sent out that was not directly sent through our own pages. Spam
> emails that were sent to different outside emails.
>
> So we can see that spam emails were sent outbound, but as of yet, we have
> no source of where they're coming from (ie. which pages are compromised).
>
> From what I've been researching, one way this is done by email inject -
> where they use form submissions to inject their own coldfusion code to form
> their own 'cfmail' sends.
> http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm
>
> Please let me know if you need additional info
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359134

[hofar...@houseoffusion.com]

What version of ColdFusion are you currently on and what's your patch
level. I've seen instances where the vulnerability in the AdminAPI is
exploited to upload templates that mass send junk mail. Look for a file
called "h.cfm" in your CFIDE folder and in your webroot. That is the usual
vector for this kind of attack..

If you find it, you'll need to assume that your entire server is
potentially compromised as they have the ability to upload and execute any
code in your system...

--
Jeff

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359135

[hofar...@houseoffusion.com]

To try and directly answer your question: I don't believe there are any
logs that nail down what template a bit of mail is sent from. mailsent.log
only says, for example:

"Information","scheduler-3","01/03/14","18:32:18",,"Mail: 'Subject Goes
Here' From:'who...@wherever.com' To:'vic...@spamworld.com' was
successfully sent using mail.openrelay.com"

If you are a glutton for punishment you can still do it: Synch the mail
sent time in mailsent.log with your web server log's template execution
times and you should probably find a correlation that way.

However, if it were me, I'd concentrate on solving the root problem and
forget about where it might be happening. Do a global search for every
instance of "</cfmail>" will show you every template that sends mail.
Start cleaning up your code from there. Although the mail server itself is
probably the first place you should start.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359136

[hofar...@houseoffusion.com]

There are a bunch of things you can do depending on exactly how this is happening. Using STMP authentication is one... but if you think your forms are being spoofed, you may be able to use cgi vars to get some info.

You can use CGI referrer to see if the request is coming from the correct page... wrap your cfmail code in CFif referrer is the expected source with an else. If it's coming from the correct page, let it process. If else, dump the vars and referrer IP to a log or send it to yourself in a mail.

If you need some help with that I may be able to mock up some sample code tomorrow, but I'm on client need at the moment.

Robert Harrison
Director of Interactive Services

Austin & Williams
Advertising I Branding I Digital I Direct  
125 Kennedy Drive,  Suite 100   I  Hauppauge, NY 11788
T 631.231.6600 X 119   F 631.434.7022  
http://www.austin-williams.com

Blog: http://www.austin-williams.com/blog

Twitter: http://www.twitter.com/austin_wi

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359137

[hofar...@houseoffusion.com]

The server itself is our own dedicated webserver, and as for our email server we're using Microsoft 365 so I do not think the compromise is at that level.

I may implement the smtp auth piece to at least mitigate the issue as of now.

Thanks for the suggestion!

>Do you have admin control of this server or is it a shared host? If its a
>server you control then its a simple matter to lock down the mail server,
>right? Require smtp auth for all senders and then use smtp auth in your
>cfmail statements in your code. That would be just step 1 of a hardening
>process that should have more than this layer to it.
>
>I realize this doesn't bear on your discovery question but if this is
>happening at all it points to a hole in security in at least one place.
>And if its a shared host then the situation may not be in your control in
>the first place.
>
>
>
>
>>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359138

[hofar...@houseoffusion.com]

Hey Jeff -

This is our current coldfusion setup:

Server Product ColdFusion
Version 8,0,1,195765
Update Level /C:/ColdFusion8/lib/updates/hf801-00003.jar

I took a look for the "h.cfm" file under the CDIFE root and the webroot and did a search as well for this file but did not see any results return.

My initial reaction was to see if there were patches that I have missed and I did a few patches just recently to make sure I was up to date. But given that we're running on a very old version of coldfusion, and the issue cropped up just recently, I am not sure if there has been an update to fix these types of compromises in newer versions of CF.

As for the "h.cfm" - is there any other variants that I need to make sure that I am not missing on looking out for?

Thanks for your help!

>What version of ColdFusion are you currently on and what's your patch
>level. I've seen instances where the vulnerability in the AdminAPI is
>exploited to upload templates that mass send junk mail. Look for a file
>called "h.cfm" in your CFIDE folder and in your webroot. That is the usual
>vector for this kind of attack..
>
> If you find it, you'll need to assume that your entire server is
>potentially compromised as they have the ability to upload and execute any
>code in your system...
>
> --
> Jeff
>
>
>

>> Hi Robert - Thanks for the reply, yes of course let me explain a bit
>more.
>>
>> While checking our sent mail logs, logged by coldfusion, we noticed
>emails were being sent out that was not directly sent through our own
>pages. Spam emails that were sent to different outside emails.
>>
>> So we can see that spam emails were sent outbound, but as of yet, we have
>no source of where they're coming from (ie. which pages are compromised).
>>
>> From what I've been researching, one way this is done by email inject -
>where they use form submissions to inject their own coldfusion code to form
>their own 'cfmail' sends.
>http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm
>>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359139

[hofar...@houseoffusion.com]

The easiest thing to do is to scan your site code to see what pages contain
the cfmail tag. The next thing is to look at your web server logs to see
who is requesting those pages. If you allow for the site visitor to specify
who the mail is being sent to, then you are opening yourself up to someone
sending spam through your site.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359140

[hofar...@houseoffusion.com]

I currently have logging for sent mail through cfadmin so that is really the way I found out that email is being sent outbound somehow.

I do have captcha implementation on my forms, but it's been a bit of time since I initially implemented this, so I was also considering the possibility that the implementation may be flawed now (spammers found a way around such walls).

The server we're using to send the email is office 365 so (hopefully) they are not the issue.

>Make sure the cfmail option for logging sent mail is enabled via the
>CFAdmin. This will tell you if CF is actually sending the mail. The log
>file will be in your CF root under logs. I think it's mailsent.log.
>
>Most likely one of two things.
>
>You have a web form that sends through another template using the cfmail
>tag which does no "human" checking, like a Captcha or checking the delay
>between page load and send request.
>
>Or you have an open relay with the mail server that is being used by CF to
>send mail, and CF is not actually the issue. Your mail server logs can log
>this, log location will vary based on the server used. There are several
>online tools to check if your mail server has an open relay.
>
>http://mxtoolbox.com/diagnostic.aspx
>
>~Byron
>
>
>
>
>>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359141

[hofar...@houseoffusion.com]

Regarding the 'h.cfm' issue, go to the bathroom first (your upholstery will
thank me) and THEN sit down and read this.

http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat

and the two follow-on blog entries linked at page bottom. This did quite a
job of rocking many worlds and if you are just hearing about it, pray you
aren't vulnerable or infected.

As for email, here's one of mine:

<cfmail
to="#variables.scrubbedEmail#"
from="#server.AdminEmail#"
BCC="#server.developerEmail#"
subject="#variables.scrubbedSubject#"
username="#server.adminUsername#"
password="#server.adminPassword#"
server="#server.emailServer#"
port="#server.emailServerPort#"
type="HTML">

If users are inputting data into your mail headers (i.e. a "your Email"
field and you are taking their input) then you need to scrub that input
before its put into a cfmail parameter. Something like an isEmail()
function for the 'to' if it is an address that is user-submitted. If for
example its the email subject then strip out things like linefeeds and
breaks.

I don't like putting in auth info into the CF administrator (I put dummy
info there, in fact). I prefer to put it in via the CF template, but I
keep the actual account info in a cf template that is actually not on the
web root, and cfincluded into the application via a relative path in
Application.cfm. The point of doing that is the file and its sensitive
contents is a lot harder to find a way to read if its not web-accessible.
I also send mail from CF via a nonstandard port. My mail server is
config'd to listen for incoming mail on that additional port and only
accept from the CF server's IP. IP-specific holes are poked in firewalls
accordingly. This step may not be available with your MS 365 mail server.
If MS 365 has frequency filters that spot mail in quantity being sent from
User X and takes action if it exceeds a certain threshold, then you want to
fire that layer of protection up.

All of this is imperfect but as a package its pretty solid.

--
--m@Robertson--
Janitor, The Robertson Team
mysecretbase.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359142

[hofar...@houseoffusion.com]

Hey Dean -

I'll be looking at my webserver logs to see if I can see any correlation with my mail logs. But to respond to your thought, none of the code so far allows the user to specify who they're sending to. The forms that send email are at the very basic level just notification to our internal recipients on submissions.

Thanks!

>The easiest thing to do is to scan your site code to see what pages contain
>the cfmail tag. The next thing is to look at your web server logs to see
>who is requesting those pages. If you allow for the site visitor to specify
>who the mail is being sent to, then you are opening yourself up to someone
>sending spam through your site.
>
>
>
>
>>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359143

[hofar...@houseoffusion.com]

To consolidate a few thoughts here -

1) I will be looking to webserver logs and mail sent logs to see if I see any points of contact of when/where the attacks are coming from. If I can isolate the problem to it actually being a page attack (ie. email inject) vs a serverside compromise (ie. environment vulnerabilities) then that will be a great start.

2) My coldfusion server configuration is:

Server Product ColdFusion
Version 8,0,1,195765
Update Level /C:/ColdFusion8/lib/updates/hf801-00003.jar

3) There is no real logs to see where cfmail requests to the spooler are coming from - which is my original question :) so thank you for that info.

4) I will be doing some code cleansing and try to mitigate the issue by implementing a few suggestions including referrer check, stmp authentication, and field checks for injection code.

I appreciate all your help, I just came across this community and so far this has been extremely helpful.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359144

[hofar...@houseoffusion.com]

if sending by CF but not using your code that could mean they are running
cf code you didn't write.

--
--m@Robertson--
Janitor, The Robertson Team
mysecretbase.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359145

[hofar...@houseoffusion.com]

Garry

The hack files are not always called h.cfm. In fact that was just one named used by one attacker. there was also i.cfm by another attacker. Others have used other file names and/or other techniques as described in this blog post that Mark Kruger wrote that describes an exploit method I found. The file can be named anything. and it’s does not even need to be a .cfm or .cfc file. As this post points out (http://www.coldfusionmuse.com/index.cfm/2013/12/5/attack.vector.missing.template.handler ) Odds are someone was able to insert onto your server a "web shell" file that is granting them full access to anything they want on the server.

The blog post by Charlie that was already mentioned is a great resource too.

Here is what I would be doing:

1. At this point I would be changing my mail server credentials and going from CFAdmin mail credential settings to template level just to stop the flow of bogus email.
2. Locking down the CFAdmin and CFIDE or disabling it all together. The fastest way on IIS would be to restrict access to CFIDE to the 127.0.0.1 IP address.
3. Next I would do a search of all text files for the existence of "<CFMAIL”.
4. If a file is found then you can search for that file name in your web server and CF logs to see when it was first created/accessed.

Depending on what you find it may or may not be necessary to abandoned the server and start with a fresh setup. That is the worst case situation and we’ve run into that before.

Also remember that a fully patched CF8.0.1 server HAS the CFAdmin API exploit.

If you need further help please contact me. Investigating hacked servers is a large part of what we do at CF Webtools.

Regards,
Wil



Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com
wil@cfwebtools


www.trunkful.com

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359146

[hofar...@houseoffusion.com]

I'd also enlist the help of your hosting provider if server level
troubleshooting is part of your service level agreement. It's usually in
their best interest to squash this type of activity, as it can get their ip
addreses and ranges blacklisted.

Byron Mann
Lead Engineer & Architect
HostMySite.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359157

[hofar...@houseoffusion.com]

On Mon, Aug 18, 2014 at 9:56 PM, Garry Tran wrote:

> My first question is - is there a way to trace back to which page cfmail
> is being called from? Are there any logs that I can view that would allow
> us to track down what pages are being hijacked?
>

If I write code where a cfmail tag is called straight from the website (as
opposed to a scheduled process or something internal), I consider it a best
practice to add the following two lines of code:
<cfmailparam name="X-Original-IP" value="#cgi.remote_addr#" />
<cfmailparam name="X-Original-URL"
value="#cgi.host_name#/#cgi.script_name#/#cgi.path_info#?#cgi.query_string#"
/>

Jochem

--
Jochem van Dieten
http://jochem.vandieten.net/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359159