COMMAND

    Cold Fusion

SYSTEMS AFFECTED

    Cold Fusion 5.0

PROBLEM

    Eric  Lackey  found  following.   The  bug  happens only on Linux.
    Most of the time using the  cfrethrow tag in Cold Fusion 5.0  will
    cause the server to crash with the message:

        Error Diagnostic Information
        An error occurred while attempting to establish a connection to the server.

    The most likely cause  of this problem is  that the server is  not
    currently running.  Verify that the server is running and  restart
    it if necessary.

        Unix error number 2 occurred: No such file or directory

    When this happens,  the Cold Fusion  server core dumps  its memory
    into a  core file  in the  /$installdir/coldfusion/logs directory.
    By using  the strings  command on  this file,  anyone can  see all
    memory  used  by  Cold  Fusion  before  the  server  crashed.  All
    encrypted and unencrypted  tags that the  cf server was  using can
    be seen in clear text in this core dump.

    This vulnerability can be  easily reproduced by using  Cold Fusion
    5 and two Cold Fusion templates.

    Create two files, file1.cfm  and file2.cfm.  Within  file1.cfm put
    the following code.

        <CFTRY>
                <CFINCLUDE TEMPLATE="test2.cfm">
                <CFCATCH>
                        Call encrypted tag or include template here
                        <CFRETHROW>
                </CFCATCH>
        </CFTRY>

    Within file2.cfm put the following code.

        <CFTHROW MESSAGE="TEST">

    Call any  custom tag  or template  that you  want to  see in clear
    text right after the cfcatch tag.   Then call test.cfm from a  web
    browser and the server should then crash.  It might take a  couple
    of refreshes to make the server crash.

    This  vulnerability  will  allow  anyone  to  view any Cold Fusion
    encrypted tags.

    The issue is not a generalized vulnerability that can be exploited
    with a browser, but rather a bug on a specific platform.  The root
    cause of the  CFRETHROW exception is  actually a Linux  EGCS 1.1.2
    C++ compiler object-code generation bug.  This compiler is used to
    build  ColdFusion  4.5  and  5.0,  and  the  bug is related to C++
    exception throwing and handling object code generation.  This  bug
    causes the internal exception  used to support the  CFML CFRETHROW
    tag  to  exit  the  application  process,  aborting the ColdFusion
    Server.

    The use of the term "attacker" is misleading in this case, as this
    person must first be  authorized to write ColdFusion  code (CFML),
    write OS files that have execution privilege under the web  server
    root directory,  and be  able to  place it  into operation  on the
    target server system.   Again, no vulnerability  is exposed via  a
    browser.

SOLUTION

    Macromedia documented  the problem  with CFRETHROW  on Linux,  and
    spent a great deal of effort to isolate and workaround the  issue,
    testing pre-release Linux compiler releases and beta patches,  but
    unfortunately these  were unsuccessful  in eliminating  the issue.
    They were faced with the decision of not shipping a Linux product,
    or  shipping  with  this  known  flaw,  which  was beyond in their
    control  to  fix.   They  decided  to  ship  the Linux product and
    document this flaw in the Knowledge Base Article:

        http://www.allaire.com/Handlers/index.cfm?ID=17560&Method=Full

    To re-iterate, the "attack" is not dissimilar in nature to writing
    an endless loop, which can  be accomplished in any language  where
    code  is  executed  on  the  server,  regardless  of   programming
    language.   The definition  of "attacker"  in this  context is any
    developer who has  contributed web application  code to that  runs
    on the server.

    Advice is that ColdFusion  application developers not give  a copy
    of  their  source  code  to  untrustworthy  persons, whether it is
    encrypted or not.