Name: Denial of Service Vulnerability in ColdFusion MX
Systems Affected: Version 6.0 and earlier
Severity: Medium-High
Category: Denial of Service
Vendor URL: Macromedia ColdFusion MX
Discovered by: Network Intelligence (I) Pvt. Ltd. (www.nii.co.in)
Online location: https://www.nii.co.in/vuln/cfdos.html

Description
========
ColdFusion MX is the solution for building and deploying powerful web
applications and web services. Using the proven tag-based scripting and
built-in services in ColdFusion MX, web application developers can easily
harness the power of the Java platform without the complexity. Available for
stand-alone installation or for deployment on industry-leading J2EE
application servers, ColdFusion enables over 10,000 customers and hundreds
of thousands of developers worldwide to deliver powerful web applications in
record time.

Vulnerability Details
==============
When the ColdFusion MX Server attempts to write an error message with an
oversized string as part of the error message, the server's memory usage
shoots up and stays there until the server completes writing the error
message. This message is written on to a web page, as well as into
ColdFusion's Application.log file. If this error is induced repeatedly, the
entire memory on the server is used up and a Java out-of-memory condition
occurs. We tested this by inducing the error ten times in a row.

Impact
=====
When the memory usage goes high, genuine requests can no longer be handled.
Attempts to stop and restart the ColdFusion server using the Windows
Service's applet or the cfstop.bat script fail. During our tests, the only
way to get out of the attack was to restart the server.

Exploitation
========
To exploit this vulnerability, the attacker would need to induce an error in
the processing of the CFM pages. This could be done either by supplying a
long string (we needed about 2-3 MB) of data as a GET or POST request to a
function that does not
handle that data type or the length. For instance, this error was induced by
supplying the string to the DateFormat() function, which formats the
supplied string into a date value of the specified format. Ten such requests
will cause the ColdFusion server to completely hang and require a manual
reboot. Another method of inducing this error is for someone to upload a
malicious CFM page, which contains code such as :

**Start of code**
<cfset
longstr = RepeatString("1234567890123456789012345678901234567890", 10000)
>
<cfset the_date = #DateFormat(longstr)#>
<cfoutput>#the_date#</cfoutput>
**End of code**

This is a feasible scenario for a web-hosting company that provides shared
hosting services to multiple clients. A malicious user of the service may
try to disable
the web-hosting company's servers by uploading this page, and accessing it a
dozen times from his browser.

Vendor Response:
=============
The vendor had assigned CFMX bug #51267 to it, and has patched this bug in
the current latest release of this software: ColdFusion MX Server 6.1. This
is available as a free upgrade to existing users. In the new version, the
length of the error string is limited to 256 bytes.

Workaround
=========
In case upgrading the server is not feasible immediately, you could create
your own error reporting template and set this in the ColdFusion
Administrator "Settings" page as the "Site-wide Error Handler" - the memory
consumption is moderate. You must ensure that the customized error page does
not contain the string that causes the error.

Disclaimer
=======
The information contained in this advisory is copyright (c) 2004 Network
Intelligence India Pvt. Ltd. (www.nii.co.in) This advisory may be
redistributed, provided
that no fee is assigned and that the advisory is not modified in any way.

About us
=======
Network Intelligence is an security consulting firm specializing in
vulnerability research, application security audits, penetration testing,
intrusion detection & analysis, BS7799 consulting, and overall information
assurance
services. More information about our list of security services is at
https://www.nii.co.in/services.html We also have our range of security
auditing products for Windows, Oracle and SQL Server. More information on
these products is available at https://www.nii.co.in/products.html