[NEWS] ColdFusion MX Oversize Error Message DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 04/18/04
- Previous message: SecuriTeam: "[NEWS] ColdFusion MX File Upload DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 18 Apr 2004 18:21:25 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ColdFusion MX Oversize Error Message DoS
------------------------------------------------------------------------
SUMMARY
ColdFusion MX "is the solution for building and deploying powerful web
applications and web services. Using the proven tag-based scripting and
built-in services in ColdFusion MX, web application developers can easily
harness the power of the Java platform without the complexity. Available
for stand-alone installation or for deployment on industry-leading J2EE
application servers, ColdFusion enables over 10,000 customers and hundreds
of thousands of developers worldwide to deliver powerful web applications
in record time".
When the ColdFusion MX Server attempts to write an error message with an
oversized string as part of the error message, the server's memory usage
shoots up and stays there until the server completes writing the error
message. This message is written on to a web page, as well as into
ColdFusion's Application.log file. If this error is induced repeatedly,
the entire memory on the server is used up and a Java out-of-memory
condition occurs. This was tested this by inducing the error ten times in
a row.
DETAILS
Vulnerable Systems:
* ColdFusion MX version 6.0 and prior
Immune Systems:
* ColdFusion MX version 6.1 or newer
Impact:
When the memory usage goes high, genuine requests can no longer be
handled. Attempts to stop and restart the ColdFusion server using the
Windows Service's applet or the cfstop.bat script fail. During our tests,
the only way to get out of the attack was to restart the server.
Exploitation:
To exploit this vulnerability, the attacker would need to induce an error
in the processing of the CFM pages. This could be done either by supplying
a long string (we needed about 2-3 MB) of data as a GET or POST request to
a function that does not handle that data type or the length. For
instance, this error was induced by supplying the string to the
DateFormat() function, which formats the supplied string into a date value
of the specified format. Ten such requests will cause the ColdFusion
server to completely hang and require a manual reboot. Another method of
inducing this error is for someone to upload a malicious CFM page, which
contains code such as:
**Start of code**
<cfset
longstr = RepeatString("1234567890123456789012345678901234567890", 10000)
>
<cfset the_date = #DateFormat(longstr)#>
<cfoutput>#the_date#
**End of code**
This is a feasible scenario for a web-hosting company that provides shared
hosting services to multiple clients. A malicious user of the service may
try to disable the web-hosting company's servers by uploading this page,
and accessing it a dozen times from his browser.
Vendor Response:
The vendor had assigned CFMX bug #51267 to it, and has patched this bug in
the current latest release of this software: ColdFusion MX Server 6.1.
This is available as a free upgrade to existing users. In the new version,
the length of the error string is limited to 256 bytes.
Workaround:
In case upgrading the server is not feasible immediately, you could create
your own error reporting template and set this in the ColdFusion
Administrator "Settings" page as the "Site-wide Error Handler" - the
memory consumption is moderate. You must ensure that the customized error
page does not contain the string that causes the error.
ADDITIONAL INFORMATION
The information has been provided by <mailto:cto@nii.co.in> K. K.
Mookhey.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] ColdFusion MX File Upload DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
