COMMAND
Cold Fusion
SYSTEMS AFFECTED
Cold Fusion 5.0
PROBLEM
Eric Lackey found following. The bug happens only on Linux.
Most of the time using the cfrethrow tag in Cold Fusion 5.0 will
cause the server to crash with the message:
Error Diagnostic Information
An error occurred while attempting to establish a connection to the server.
The most likely cause of this problem is that the server is not
currently running. Verify that the server is running and restart
it if necessary.
Unix error number 2 occurred: No such file or directory
When this happens, the Cold Fusion server core dumps its memory
into a core file in the /$installdir/coldfusion/logs directory.
By using the strings command on this file, anyone can see all
memory used by Cold Fusion before the server crashed. All
encrypted and unencrypted tags that the cf server was using can
be seen in clear text in this core dump.
This vulnerability can be easily reproduced by using Cold Fusion
5 and two Cold Fusion templates.
Create two files, file1.cfm and file2.cfm. Within file1.cfm put
the following code.
<CFTRY>
<CFINCLUDE TEMPLATE="test2.cfm">
<CFCATCH>
Call encrypted tag or include template here
<CFRETHROW>
</CFCATCH>
</CFTRY>
Within file2.cfm put the following code.
<CFTHROW MESSAGE="TEST">
Call any custom tag or template that you want to see in clear
text right after the cfcatch tag. Then call test.cfm from a web
browser and the server should then crash. It might take a couple
of refreshes to make the server crash.
This vulnerability will allow anyone to view any Cold Fusion
encrypted tags.
The issue is not a generalized vulnerability that can be exploited
with a browser, but rather a bug on a specific platform. The root
cause of the CFRETHROW exception is actually a Linux EGCS 1.1.2
C++ compiler object-code generation bug. This compiler is used to
build ColdFusion 4.5 and 5.0, and the bug is related to C++
exception throwing and handling object code generation. This bug
causes the internal exception used to support the CFML CFRETHROW
tag to exit the application process, aborting the ColdFusion
Server.
The use of the term "attacker" is misleading in this case, as this
person must first be authorized to write ColdFusion code (CFML),
write OS files that have execution privilege under the web server
root directory, and be able to place it into operation on the
target server system. Again, no vulnerability is exposed via a
browser.
SOLUTION
Macromedia documented the problem with CFRETHROW on Linux, and
spent a great deal of effort to isolate and workaround the issue,
testing pre-release Linux compiler releases and beta patches, but
unfortunately these were unsuccessful in eliminating the issue.
They were faced with the decision of not shipping a Linux product,
or shipping with this known flaw, which was beyond in their
control to fix. They decided to ship the Linux product and
document this flaw in the Knowledge Base Article:
http://www.allaire.com/Handlers/index.cfm?ID=17560&Method=Full
To re-iterate, the "attack" is not dissimilar in nature to writing
an endless loop, which can be accomplished in any language where
code is executed on the server, regardless of programming
language. The definition of "attacker" in this context is any
developer who has contributed web application code to that runs
on the server.
Advice is that ColdFusion application developers not give a copy
of their source code to untrustworthy persons, whether it is
encrypted or not.