Name: Denial of Service Vulnerability in ColdFusion MX Systems Affected: Version 6.0 and earlier Severity: Medium-High Category: Denial of Service Vendor URL: Macromedia ColdFusion MX Discovered by: Network Intelligence (I) Pvt. Ltd. (www.nii.co.in) Online location: http://www.nii.co.in/vuln/cfdos.html Description ======== ColdFusion MX is the solution for building and deploying powerful web applications and web services. Using the proven tag-based scripting and built-in services in ColdFusion MX, web application developers can easily harness the power of the Java platform without the complexity. Available for stand-alone installation or for deployment on industry-leading J2EE application servers, ColdFusion enables over 10,000 customers and hundreds of thousands of developers worldwide to deliver powerful web applications in record time. Vulnerability Details ============== When the ColdFusion MX Server attempts to write an error message with an oversized string as part of the error message, the server's memory usage shoots up and stays there until the server completes writing the error message. This message is written on to a web page, as well as into ColdFusion's Application.log file. If this error is induced repeatedly, the entire memory on the server is used up and a Java out-of-memory condition occurs. We tested this by inducing the error ten times in a row. Impact ===== When the memory usage goes high, genuine requests can no longer be handled. Attempts to stop and restart the ColdFusion server using the Windows Service's applet or the cfstop.bat script fail. During our tests, the only way to get out of the attack was to restart the server. Exploitation ======== To exploit this vulnerability, the attacker would need to induce an error in the processing of the CFM pages. This could be done either by supplying a long string (we needed about 2-3 MB) of data as a GET or POST request to a function that does not handle that data type or the length. For instance, this error was induced by supplying the string to the DateFormat() function, which formats the supplied string into a date value of the specified format. Ten such requests will cause the ColdFusion server to completely hang and require a manual reboot. Another method of inducing this error is for someone to upload a malicious CFM page, which contains code such as : **Start of code** #the_date# **End of code** This is a feasible scenario for a web-hosting company that provides shared hosting services to multiple clients. A malicious user of the service may try to disable the web-hosting company's servers by uploading this page, and accessing it a dozen times from his browser. Vendor Response: ============= The vendor had assigned CFMX bug #51267 to it, and has patched this bug in the current latest release of this software: ColdFusion MX Server 6.1. This is available as a free upgrade to existing users. In the new version, the length of the error string is limited to 256 bytes. Workaround ========= In case upgrading the server is not feasible immediately, you could create your own error reporting template and set this in the ColdFusion Administrator "Settings" page as the "Site-wide Error Handler" - the memory consumption is moderate. You must ensure that the customized error page does not contain the string that causes the error. Disclaimer ======= The information contained in this advisory is copyright (c) 2004 Network Intelligence India Pvt. Ltd. (www.nii.co.in) This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way. About us ======= Network Intelligence is an security consulting firm specializing in vulnerability research, application security audits, penetration testing, intrusion detection & analysis, BS7799 consulting, and overall information assurance services. More information about our list of security services is at http://www.nii.co.in/services.html We also have our range of security auditing products for Windows, Oracle and SQL Server. More information on these products is available at http://www.nii.co.in/products.html