Security Advisories | Denial of Service | Denial of Service in Macromedia ColdFusion MX Server Vulnerability
Vendor: Macromedia
Product Affected: Cold Fusion MX Server 6.1 and prior
Type: Denial of Service
Severity: Medium-High

ColdFusion MX is the solution for building and deploying powerful web applications and web services. Using the proven tag-based scripting and built-in services in ColdFusion MX, web application developers can easily harness the power of the Java platform without the complexity. Available for stand-alone installation or for deployment on industry-leading J2EE application servers, ColdFusion enables over 10,000 customers and hundreds of thousands of developers worldwide to deliver powerful web applications in record time.

First of all, the intruder would need to have physical access to the PC in order to gather a physical dump. Moreover, it would be necessary to have Cryptainer running - either with the encrypted volume loaded or unloaded. This however is not so uncommon. On the other hand, it is in the event of a physical intrusion, that one would need the encryption software to protect one's data. Therefore, the physical access event must be assumed as having occurred. Then, the estimated probability of a compromise must be that of Cryptainer running in the System Tray, and the user having used the software at least once.

When the memory usage goes high, genuine requests can no longer be handled. Attempts to stop and restart the ColdFusion server using the Windows Service's applet or the cfstop.bat script fail. During our tests, the only way to get out of the attack was to restart the server.

To exploit this vulnerability, the attacker would need to induce an error in the processing of the CFM pages. This could be done either by supplying a long string (we needed about 2-3 MB) of data in a function that does not handle that data type or the length. For instance, this error was induced by supplying the string to the DateFormat() function, which formats the supplied string into a date value of the specified format. Ten such requests will cause the ColdFusion server to completely hang and require a manual reboot. Another method of inducing this error is for someone to upload a malicious CFM page, which contains code such as :

**Start of code**
<cfsetlongstr = RepeatString("IpsumLorem", 4000)>
<cfset the_date = #DateFormat(longstr)#>
<cfoutput>#the_date#</cfoutput>
**End of code**

This is a feasible scenario for a web-hosting company that provides shared hosting services to multiple clients. A malicious user may try to disable the web-hosting company's servers by uploading this page, and accessing it a dozen times from his browser.

The vendor has patched this bug in the current latest release of this software: ColdFusion MX Server 6.1. This is available as a free upgrade to existing users. In the new version, the length of the error string is limited to 256 bytes.

In case upgrading the server is not feasible immediately, you could create your own error reporting template and set this in the ColdFusion Administrator "Settings" page as the "Site-wide Error Handler" - the memory consumption is moderate. You must ensure that the customized error page does not contain the string that causes the error.

The information contained in this advisory is copyright (c) 2004 Network Intelligence India Pvt. Ltd. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way.