cold fusion 5.0 cfrethrow exploit

From: Eric Lackey (eric@isdn.net)
Date: 07/31/01


Message-ID: <01B712429915D511803600A0C99AB3A7057FA8@isdnnt02.office.isdn.net>
From: Eric Lackey <eric@isdn.net>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Subject: cold fusion 5.0 cfrethrow exploit
Date: Mon, 30 Jul 2001 22:19:38 -0500

Vulnerable:
  Cold Fusion 5.0

Invulnerable:
  Versions of Cold Fusion below 5.0 do not seem to have the same problem.
  
OS:
Only tried on RedHat Linus 2.4.2-2 #1

Allaire reports a Cold Fusion bug that can be found at this address:
http://www.allaire.com/Handlers/index.cfm?ID=17560&Method=Full. The bug
happens only on Linux. The text from the bug report is below.

The CFRETHROW tag causes a server restart on Linux.

You can work around this problem by using a CFTHROW tag:
======================================================

Most of the time using the cfrethrow tag in Cold Fusion 5.0 will cause the
server to crash with the message:

Error Diagnostic Information
An error occurred while attempting to establish a connection to the server.

The most likely cause of this problem is that the server is not currently
running. Verify that the server is running and restart it if necessary.

Unix error number 2 occurred: No such file or directory
 
When this happens, the Cold Fusion server core dumps its memory into a core
file in the /$installdir/coldfusion/logs directory. By using the strings
command on this file, anyone can see all memory used by Cold Fusion before
the server crashed. All encrypted and unencrypted tags that the cf server
was using can be seen in clear text in this core dump.

This vulnerability can be easily reproduced by using Cold Fusion 5 and two
Cold Fusion templates.

Create two files, file1.cfm and file2.cfm. Within file1.cfm put the
following code.

--------------------------
<CFTRY>
        <CFINCLUDE TEMPLATE="test2.cfm">
        <CFCATCH>
                Call encrypted tag or include template here
                <CFRETHROW>
        </CFCATCH>
</CFTRY>
--------------------------

Within file2.cfm put the following code.

--------------------------
<CFTHROW MESSAGE="TEST">
--------------------------

Call any custom tag or template that you want to see in clear text right
after the cfcatch tag. Then call test.cfm from a web browser and the server
should then crash. It might take a couple of refreshes to make the server
crash.

This vulnerability will allow anyone to view any Cold Fusion encrypted tags.
I am aware of another program identified on Bugtraq that gives anyone the
ability to decrypt encrypted tags. I thought some might be interested that
there is another exploit.

----------------------------
Eric Lackey
ISDN-Net Operations
eric@isdn.net

 



Relevant Pages

  • RE: cold fusion 5.0 cfrethrow exploit
    ... cold fusion 5.0 cfrethrow exploit ... ColdFusion Server 5 for Linux related to the CFRETHROW CFML language ...
    (Bugtraq)
  • RE: cold fusion 5.0 cfrethrow exploit
    ... cold fusion 5.0 cfrethrow exploit ... The CFRETHROW tag causes a server restart on Linux. ...
    (Bugtraq)
  • Re: Client HTTP Status 12031. Server IIS Log 400 w/ Win32 status 121
    ... Moving away from WinInet usage on the server is always a good idea -- it was ... we focused our efforts on the client side of things ... client servers and workstations which had us going as to why the cold fusion ... the COM component was changed to use a server post method instead ...
    (microsoft.public.inetserver.iis)
  • Re: Slow Query Through Cold Fusion
    ... I turned on debugging info for Cold Fusion and the query itslef is ... According to the CF server, it is taking about 950 ms total to execute ... When I access the same data via a Cold Fusion ... > RBollinger ...
    (comp.databases.ms-sqlserver)