OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Cold Fusion Server 4.5.1 DoS Vulnerability.
From: Ryan Hill (ryanMARKETMATRIX.COM)
Date: Fri May 12 2000 - 01:02:57 CDT

-[ Exploit Announcement

Title: Cold Fusion Server 4.5.1 Denial-of-Service Attack using CFCACHE.
OS: Windows NT 4.0
Affected Product Versions: Cold Fusion Server 4.5.x, Professional &
Enterprise.

-[ Acknowledgements
Thanks are due to Patrick Keating, for his help diagnosing and discovering
this issue.

-[ Summary
ColdFusion is a complete Web application server for developing and
delivering scalable e-business applications. An included component of the
Cold Fusion Markup Language (CFML) tag set includes a tag called CFCACHE.
CFCACHE allows you to speed up pages considerably in cases where the dynamic
content doesn't need to be retrieved each time a user accesses the page. To
accomplish this, it creates temporary files that contain the static HTML
returned from a particular run of the ColdFusion page.

-[ The Exploit
It is possible to cause the Cold Fusion Server service to hang and stop
responding to client requests when requesting a cache file that isn't stored
in memory and there are no available running thread request slots available
on the server. The Cold Fusion Server service must be restarted so that the
running and queued request threads can be cleared.

-[ The Details
CFCACHE uses a client thread request when creating temporary cache pages
that will hang Cold Fusion Server if there are no available execution thread
slots. An example of this exploit using the default limit of 5 simultaneous
requests would be to send 6 simultaneous page requests to a CFCACHE'd page
which hasn't been loaded into a temporary cache file. Using CFSTAT, a
utility included with Cold Fusion Server, you can clearly see that the
server has stopped responding to client requests with 5 threads running in
the active thread space and 1 thread stuck in the queue. The 5 active
threads never timeout or exit and the server never recovers from this hung
state. The only way to regain control of the server is to restart the Cold
Fusion Server service on the affected machines.

The severity of this bug is fairly high considering that the exploit is so
simple to perform and does not require malformed data, edited packets or any
exploit programs to potentially knock thousands of vulnerable Cold Fusion
Servers off-line.

-[ Patch Availability or Workaround

No known patches, however, you have the choice of avoiding the use of
CFCACHE or a possible workaround would be to manually or programmatically
(spider) CFCACHE pages so that the temporary files are created under a
no-load situation. Once the temporary cache pages are created, this
vulnerability is no longer a threat. This workaround is not very practical
however, and can become very time consuming if the website has many pages
using this functionality.

Allaire's Unofficial response to this bug:
"What are the chances that 5 people would simultaneously request the same
page?"

-[ Exploit Published: 05/08/2000
Vendor Notification: 05/08/2000
Release to Public: 05/08/2000

Regards,
Ryan

Ryan Hill, MCSE
Director of Systems Integration
Market Matrix, Inc. - http://www.marketmatrix.com

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net