Experts at Volexity discovered that a recently patched remote code execution flaw (CVE-2018-15961) affecting the Adobe ColdFusion has been exploited in the wild.

Security experts from Volexity reported that attackers in the wild are exploiting a recently patched remote code execution vulnerability affecting the Adobe ColdFusion.

The flaw, tracked as CVE-2018-15961, is an unrestricted file upload vulnerability, successful exploitation could lead to arbitrary code execution.

The vulnerability was reported by Pete Freitag of Foundeo and addressed in September by Adobe (security bulletin APSB18-33).

Researchers from Volexity have uncovered a Chinese-based APT group exploiting the vulnerability to upload the China Chopper webshell to a vulnerable server.

The analysis of the hacked server revealed that it had all ColdFusion updates installed, except for the CVE-2018-15961 fix. Attackers exploited the flaw, a couple of weeks after Adobe released the security patches.

“In the attack detected by Volexity, a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell.” reads the advisory published by Volexity.

“The target server was missing a single update from Adobe that had been released just two weeks earlier.”

According to the experts, the flaw was introduced when the Adobe replaced the FCKeditor WYSIWYG editor with the CKEditor.

In order to exploit the flaw, an attacker have to send a specially crafted HTTP POST request to the upload.cfm file which is not restricted and does not require any authentication.

Experts noticed that the new editor CKEditor prevents users from uploading potentially dangerous files, such as .exe and .php, it still allows to upload .jsp files.

The APT group exploited this flaw to upload a JavaScript version of the China Chopper webshell.

Volexityobserved the APT group exploit CVE-2018-15961 in order to upload the JSP version of China Chopper and execute commands on the impacted web server before being cut off. ” continues the analysis.

“The APT group observed by Volexityidentified that Adobe did not include the .jsp file extension in the default configuration, which was problematic because ColdFusion allows .jsp files to be actively executed. The attackers also identified a directory modification issue through the ‘path‘ form variable that allowed them to change the directory to where uploaded files would be placed. This means that even if the .jsp file extension had been on the block list, the attackers could have placed another script or executable file somewhere on the system in an attempt to compromise it (likely during startup following reboot). The .jsp file extension was added to the default list of disallowed files (shown above) during the update from Adobe; the path modification issue was also addressed.”

After identifying the attacks carried out by the Chinese APT, Volexity examined several ColdFusion servers exposed online many of them appear to have been compromised.

The servers belong to state government, educational, healthcare, and humanitarian aid organizations and each of them had been defaced or presented attempts to upload a webshell.

It is not clear if the attackers exploited the CVE-2018-15961 to hack them, however, based on the placement of the files on the affected servers, Volexity believes that a non-APT actor may have exploited the flaw prior to September 11, 2018, likely in early June.

Experts noticed that some of the defaced websites included messages attributed to AnoaGhost, an Indonesian hacktivist group linked to a pro-ISIS hacktivist group.

Let’s close with a curiosity, the CVE-2018-15961 flaw was initially underestimated, Adobe assigned it a priority rating of “2” due to the low likelihood of exploitation, but in late September changed the priority to “1”

Pierluigi Paganini