Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: cold fusion 5.0 cfrethrow exploit

From: Jesse Noller <jnoller () macromedia com>
Date: Thu, 2 Aug 2001 15:57:13 -0400 

        The Macromedia Security Response Team would like to respond to
recent emails circulating regarding a possible new vulnerability in
ColdFusion Server 5 for Linux related to the CFRETHROW CFML language
element.  The issue is not a generalized vulnerability that can be exploited
with a browser, but rather a bug on a specific platform. Details below:

        The root cause of the CFRETHROW exception is actually a Linux EGCS
1.1.2 C++ compiler object-code generation bug. This compiler is used to
build ColdFusion 4.5 and 5.0, and the bug is related to C++ exception
throwing and handling object code generation.  This bug causes the internal
exception used to support the CFML CFRETHROW tag to exit the application
process, aborting the ColdFusion Server.  

        The use of the term "attacker" is misleading in this case, as this
person must first be authorized to write ColdFusion code (CFML), write OS
files that have execution privilege under the web server root directory, and
be able to place it into operation on the target server system.  Again, no
vulnerability is exposed via a browser.  We documented the problem with
CFRETHROW on Linux, and spent a great deal of effort to isolate and
workaround the issue, testing pre-release Linux compiler releases and beta
patches, but unfortunately these were unsuccessful in eliminating the issue.
We were faced with the decision of not shipping a Linux product, or shipping
with this known flaw, which was beyond in our control to fix.  We decided to
ship the Linux product and document this flaw in the Knowledge Base Article
(http://www.allaire.com/Handlers/index.cfm?ID=17560&Method=Full) referred to
in the emails.  

        To re-iterate, the "attack" is not dissimilar in nature to writing
an endless loop, which can be accomplished in any language where code is
executed on the server, regardless of programming language.  The definition
of "attacker" in this context is any developer who has contributed web
application code to that runs on the server.

        The examination of the core file is something that anyone who runs a
Unix server with the appropriate file access permissions can do.  Again,
this core file isn't available to an outsider unless the server
administrator takes steps to make it so, and it's not available by default.

        Regarding the "decryption vulnerability", we first published a
bulletin on this topic several years back, located here:
http://www.allaire.com/handlers/index.cfm?ID=10969.  We published the paper
because the decoding mechanism was disclosed on the web, and publicly
available illegal decoding utilities were floating around the Internet. More
detail is contained in the Bulletin link.  Our advice is that ColdFusion
application developers not give a copy of their source code to untrustworthy
persons, whether it is encrypted or not.  

Thanks

Macromedia Security Response Team
secure () macromedia com
http://www.allaire.com/security


========================
Jesse Noller
jnoller () macromedia com



-----Original Message-----
From: Eric Lackey [mailto:eric () isdn net]
Sent: Monday, July 30, 2001 11:20 PM
To: 'bugtraq () securityfocus com'
Subject: cold fusion 5.0 cfrethrow exploit


Vulnerable: 
  Cold Fusion 5.0

Invulnerable:
  Versions of Cold Fusion below 5.0 do not seem to have the same problem.
  
OS:
Only tried on RedHat Linus 2.4.2-2 #1

Allaire reports a Cold Fusion bug that can be found at this address:
http://www.allaire.com/Handlers/index.cfm?ID=17560&Method=Full.  The bug
happens only on Linux.  The text from the bug report is below.

The CFRETHROW tag causes a server restart on Linux.

You can work around this problem by using a CFTHROW tag:
======================================================

Most of the time using the cfrethrow tag in Cold Fusion 5.0 will cause the
server to crash with the message:

Error Diagnostic Information
An error occurred while attempting to establish a connection to the server.

The most likely cause of this problem is that the server is not currently
running. Verify that the server is running and restart it if necessary. 

Unix error number 2 occurred: No such file or directory
 
When this happens, the Cold Fusion server core dumps its memory into a core
file in the /$installdir/coldfusion/logs directory.  By using the strings
command on this file, anyone can see all memory used by Cold Fusion before
the server crashed.  All encrypted and unencrypted tags that the cf server
was using can be seen in clear text in this core dump.  

This vulnerability can be easily reproduced by using Cold Fusion 5 and two
Cold Fusion templates.

Create two files, file1.cfm and file2.cfm.  Within file1.cfm put the
following code.

--------------------------
<CFTRY>
        <CFINCLUDE TEMPLATE="test2.cfm">
        <CFCATCH>
                Call encrypted tag or include template here
                <CFRETHROW>
        </CFCATCH>
</CFTRY>
--------------------------

Within file2.cfm put the following code.

--------------------------
<CFTHROW MESSAGE="TEST">
--------------------------

Call any custom tag or template that you want to see in clear text right
after the cfcatch tag.  Then call test.cfm from a web browser and the server
should then crash.  It might take a couple of refreshes to make the server
crash.

This vulnerability will allow anyone to view any Cold Fusion encrypted tags.
I am aware of another program identified on Bugtraq that gives anyone the
ability to decrypt encrypted tags.  I thought some might be interested that
there is another exploit.

----------------------------
Eric Lackey
ISDN-Net Operations
eric () isdn net
Previous By Date Next
Previous By Thread Next

Current thread: