Network Intelligence Advisory - Denial of Service Vulnerability in ColdFusion MX

From: K. K. Mookhey (cto_at_nii.co.in)
Date: 04/17/04

  • Next message: Martin Schulze: "[SECURITY] [DSA 491-1] New Linux 2.4.19 packages fix local root exploit (mips)" 
    To: <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>
Date: Sat, 17 Apr 2004 17:55:42 +0530

    Name: Denial of Service Vulnerability in ColdFusion MX
    Systems Affected: Version 6.0 and earlier
    Severity: Medium-High
    Category: Denial of Service
    Vendor URL: Macromedia ColdFusion MX
    Discovered by: Network Intelligence (I) Pvt. Ltd. (www.nii.co.in)
    Online location: http://www.nii.co.in/vuln/cfdos.html

    Description
    ========
    ColdFusion MX is the solution for building and deploying powerful web
    applications and web services. Using the proven tag-based scripting and
    built-in services in ColdFusion MX, web application developers can easily
    harness the power of the Java platform without the complexity. Available for
    stand-alone installation or for deployment on industry-leading J2EE
    application servers, ColdFusion enables over 10,000 customers and hundreds
    of thousands of developers worldwide to deliver powerful web applications in
    record time.

    Vulnerability Details
    ==============
    When the ColdFusion MX Server attempts to write an error message with an
    oversized string as part of the error message, the server's memory usage
    shoots up and stays there until the server completes writing the error
    message. This message is written on to a web page, as well as into
    ColdFusion's Application.log file. If this error is induced repeatedly, the
    entire memory on the server is used up and a Java out-of-memory condition
    occurs. We tested this by inducing the error ten times in a row.

    Impact
    =====
    When the memory usage goes high, genuine requests can no longer be handled.
    Attempts to stop and restart the ColdFusion server using the Windows
    Service's applet or the cfstop.bat script fail. During our tests, the only
    way to get out of the attack was to restart the server.

    Exploitation
    ========
    To exploit this vulnerability, the attacker would need to induce an error in
    the processing of the CFM pages. This could be done either by supplying a
    long string (we needed about 2-3 MB) of data as a GET or POST request to a
    function that does not
    handle that data type or the length. For instance, this error was induced by
    supplying the string to the DateFormat() function, which formats the
    supplied string into a date value of the specified format. Ten such requests
    will cause the ColdFusion server to completely hang and require a manual
    reboot. Another method of inducing this error is for someone to upload a
    malicious CFM page, which contains code such as :

    **Start of code**
    <cfset
    longstr = RepeatString("1234567890123456789012345678901234567890", 10000)
    >
    <cfset the_date = #DateFormat(longstr)#>
    <cfoutput>#the_date#</cfoutput>
    **End of code**

    This is a feasible scenario for a web-hosting company that provides shared
    hosting services to multiple clients. A malicious user of the service may
    try to disable
    the web-hosting company's servers by uploading this page, and accessing it a
    dozen times from his browser.

    Vendor Response:
    =============
    The vendor had assigned CFMX bug #51267 to it, and has patched this bug in
    the current latest release of this software: ColdFusion MX Server 6.1. This
    is available as a free upgrade to existing users. In the new version, the
    length of the error string is limited to 256 bytes.

    Workaround
    =========
    In case upgrading the server is not feasible immediately, you could create
    your own error reporting template and set this in the ColdFusion
    Administrator "Settings" page as the "Site-wide Error Handler" - the memory
    consumption is moderate. You must ensure that the customized error page does
    not contain the string that causes the error.

    Disclaimer
    =======
    The information contained in this advisory is copyright (c) 2004 Network
    Intelligence India Pvt. Ltd. (www.nii.co.in) This advisory may be
    redistributed, provided
    that no fee is assigned and that the advisory is not modified in any way.

    About us
    =======
    Network Intelligence is an security consulting firm specializing in
    vulnerability research, application security audits, penetration testing,
    intrusion detection & analysis, BS7799 consulting, and overall information
    assurance
    services. More information about our list of security services is at
    http://www.nii.co.in/services.html We also have our range of security
    auditing products for Windows, Oracle and SQL Server. More information on
    these products is available at http://www.nii.co.in/products.html

  • Next message: Martin Schulze: "[SECURITY] [DSA 491-1] New Linux 2.4.19 packages fix local root exploit (mips)"

    Relevant Pages