linux, säkerhet

6837223 2001-08-02 15:57 -0400  /153 rader/ Jesse Noller <jnoller@macromedia.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-02  22:50  av Brevbäraren
Extern mottagare: 'Eric Lackey' <eric@isdn.net>
Extern mottagare: 'bugtraq@securityfocus.com' <bugtraq@securityfocus.com>
Extern kopiemottagare: 'cf-talk@houseoffusion.com' <cf-talk@houseoffusion.com>
Extern kopiemottagare: 'cf-linux@houseoffusion.com' <cf-linux@houseoffusion.com>
Mottagare: Bugtraq (import) <18603>
Ärende: RE: cold fusion 5.0 cfrethrow exploit
------------------------------------------------------------
From: Jesse Noller <jnoller@macromedia.com>
To: 'Eric Lackey' <eric@isdn.net>,
 "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Cc: "'cf-talk@houseoffusion.com'" <cf-talk@houseoffusion.com>,
 "'cf-linux@houseoffusion.com'" <cf-linux@houseoffusion.com>
Message-ID: <77BB70951145D511BAD800508B9587B2585824@S0001EXC0007>


	The Macromedia Security Response Team would like to respond
to recent emails circulating regarding a possible new vulnerability
in ColdFusion Server 5 for Linux related to the CFRETHROW CFML
language element.  The issue is not a generalized vulnerability that
can be exploited with a browser, but rather a bug on a specific
platform. Details below:

	The root cause of the CFRETHROW exception is actually a Linux
EGCS 1.1.2 C++ compiler object-code generation bug. This compiler is
used to build ColdFusion 4.5 and 5.0, and the bug is related to C++
exception throwing and handling object code generation.  This bug
causes the internal exception used to support the CFML CFRETHROW tag
to exit the application process, aborting the ColdFusion Server.

	The use of the term "attacker" is misleading in this case, as this
person must first be authorized to write ColdFusion code (CFML),
write OS files that have execution privilege under the web server
root directory, and be able to place it into operation on the target
server system.  Again, no vulnerability is exposed via a browser.  We
documented the problem with CFRETHROW on Linux, and spent a great
deal of effort to isolate and workaround the issue, testing
pre-release Linux compiler releases and beta patches, but
unfortunately these were unsuccessful in eliminating the issue.  We
were faced with the decision of not shipping a Linux product, or
shipping with this known flaw, which was beyond in our control to
fix.  We decided to ship the Linux product and document this flaw in
the Knowledge Base Article
(http://www.allaire.com/Handlers/index.cfm?ID=17560&Method=Full)
referred to in the emails.

	To re-iterate, the "attack" is not dissimilar in nature to writing
an endless loop, which can be accomplished in any language where code
is executed on the server, regardless of programming language.  The
definition of "attacker" in this context is any developer who has
contributed web application code to that runs on the server.

	The examination of the core file is something that anyone who
runs a Unix server with the appropriate file access permissions can
do.  Again, this core file isn't available to an outsider unless the
server administrator takes steps to make it so, and it's not
available by default.

	Regarding the "decryption vulnerability", we first published
a bulletin on this topic several years back, located here:
http://www.allaire.com/handlers/index.cfm?ID=10969.  We published the
paper because the decoding mechanism was disclosed on the web, and
publicly available illegal decoding utilities were floating around
the Internet. More detail is contained in the Bulletin link.  Our
advice is that ColdFusion application developers not give a copy of
their source code to untrustworthy persons, whether it is encrypted
or not.

Thanks

Macromedia Security Response Team
secure@macromedia.com
http://www.allaire.com/security


========================
Jesse Noller
jnoller@macromedia.com



-----Original Message-----
From: Eric Lackey [mailto:eric@isdn.net]
Sent: Monday, July 30, 2001 11:20 PM
To: 'bugtraq@securityfocus.com'
Subject: cold fusion 5.0 cfrethrow exploit


Vulnerable: 
  Cold Fusion 5.0

Invulnerable:
  Versions of Cold Fusion below 5.0 do not seem to have the same problem.
  
OS:
Only tried on RedHat Linus 2.4.2-2 #1

Allaire reports a Cold Fusion bug that can be found at this address:
http://www.allaire.com/Handlers/index.cfm?ID=17560&Method=Full.  The
bug happens only on Linux.  The text from the bug report is below.

The CFRETHROW tag causes a server restart on Linux.

You can work around this problem by using a CFTHROW tag:
======================================================

Most of the time using the cfrethrow tag in Cold Fusion 5.0 will
cause the server to crash with the message:

Error Diagnostic Information An error occurred while attempting to
establish a connection to the server.

The most likely cause of this problem is that the server is not
currently running. Verify that the server is running and restart it
if necessary.

Unix error number 2 occurred: No such file or directory
 
When this happens, the Cold Fusion server core dumps its memory into
a core file in the /$installdir/coldfusion/logs directory.  By using
the strings command on this file, anyone can see all memory used by
Cold Fusion before the server crashed.  All encrypted and unencrypted
tags that the cf server was using can be seen in clear text in this
core dump.

This vulnerability can be easily reproduced by using Cold Fusion 5 and two
Cold Fusion templates.

Create two files, file1.cfm and file2.cfm.  Within file1.cfm put the
following code.

--------------------------
<CFTRY>
        <CFINCLUDE TEMPLATE="test2.cfm">
        <CFCATCH>
                Call encrypted tag or include template here
                <CFRETHROW>
        </CFCATCH>
</CFTRY>
--------------------------

Within file2.cfm put the following code.

--------------------------
<CFTHROW MESSAGE="TEST">
--------------------------

Call any custom tag or template that you want to see in clear text
right after the cfcatch tag.  Then call test.cfm from a web browser
and the server should then crash.  It might take a couple of
refreshes to make the server crash.

This vulnerability will allow anyone to view any Cold Fusion
encrypted tags.  I am aware of another program identified on Bugtraq
that gives anyone the ability to decrypt encrypted tags.  I thought
some might be interested that there is another exploit.

----------------------------
Eric Lackey
ISDN-Net Operations
eric@isdn.net
(6837223) /Jesse Noller <jnoller@macromedia.com>/(Ombruten)