OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Cold Fusion Server 4.5.1 DoS Vulnerability.
From: Malcolm Gin (mginALLAIRE.COM)
Date: Wed May 17 2000 - 15:31:03 CDT

In Response to 'Cold Fusion Server 4.5.1 DoS Vulnerability.' Exploit
Announcement:

Allaire tested and analyzed denial of service scenarios with various
ColdFusion Administrator settings that we believed were relevant to the
Exploit Announcement issue. Our test results indicated that such an attack
attempt must originate from an individual possessing insider site
information using denial of service attack techniques and therefore
represents the threat level of a conventional denial of service attack
against any site.

The vulnerability of ColdFusion servers running in the default configuration
is comparable to their exposure to conventional brute force denial of
service attacks. Additionally, a number of precautions can be taken by
ColdFusion server administrators to virtually eliminate exposure to this
type of attack. Details of these precautions follow.

Below is the inside knowledge that we believe an attacker would need to
perpetrate a successful attack involving the use of <CFCACHE>:

  1. Knowledge of which ColdFusion template(s) on the target server use the
<CFCACHE> tag.
     Prior January 4, 2000, this information was available to knowledgeable
attackers by requesting the cfcache.map file co-located in the same
directory that any document using the <CFCACHE> tag. This security issue
was addressed in Allaire Security Bulletin ASB00-03, released January 4,
2000, and available at
http://www.allaire.com/handlers/index.cfm?ID=13978&Method=Full). When a
server administrator implements the patch and recommendations in ASB00-03,
this information is taken out of harm's way into a directory not accessible
to web browsers.

  2. Knowledge of the exact timeout period coded in the ColdFusion
template(s) on the target server using the <CFCACHE> tag.
     This is inside information, available only to someone who has access to
the template in question's source code.

  3. Knowledge of the exact last cached date/time of the ColdFusion
template(s) on the target server using the <CFCACHE> tag (i.e.. which
template(s) that use the <CFCACHE> tag have had cached copies removed from
the template's CACHEDDIRECTORY or have never been cached by the server).
     This is inside information, available only to someone who has access to
the web server's filesystem. Even if the page the hypothetical attacker
randomly chooses uses the <CFCACHE> tag, the attacker has to know how long
the cache timeout period is, and when the document was last cached. This is
inside information. Assuming the attacker knows this information, s/he
then has to wait for the timeout to expire and finally be the first to
request the document with your coordinated attack.

  4. Knowledge of ColdFusion Administrator Settings: 'Limit Simultaneous
Requests' setting
     This is inside information, available only to someone who has access to
the ColdFusion Administrator Interface. Knowing this inside information
allows the attacker to figure out how many simultaneous requests s/he has
to hit the same URL with extremely precise timing so that all requests
arrive at the server at exactly the same time. If request queuing is offset
for even one of her/his requests, the server will not deadlock. On the web,
it will be extraordinarily difficult to achieve this precise timing. We
successfully reproduced the deadlock condition but only after very carefully
timing our attacks on a server on the same Ethernet segment as our testing
equipment.

  5. Knowledge that the 'Timeout requests after XX seconds' setting in the
ColdFusion Administrator is OFF (or that 'Timeout requests after XX seconds'
is set to a very high number of seconds).
     This is inside information, available only to someone who has access to
the ColdFusion Administrator Interface. If the Timeout setting is enabled
and set to a reasonable number of seconds, the deadlock condition does not
happen and the server recovers from the load, even if all the rest of the
conditions are ideal for an attack.
     Of lesser importance is the fact that the CFCACHE tag is intended to
help speed performance, and is most often used on site pages that receive
frequent traffic, which keeps their caches current. This seems to us
equivalent to a conventional DoS attack, especially given the difficulty of
timing the arriving requests for a theoretically successful attack.

  6. Use of a load testing or other load-generation or denial-of-service
tool to actually request the template in question exactly simultaneously
with more connections than the ColdFusion Administrator setting for 'Limit
Simultaneous Requests'. Tests could not cause a successful attack manually
using Internet browsers; an automated load testing tool had to be used.
     Using exactly the same number of full-speed load test robots as the
ColdFusion Administrator setting for 'Limit Simultaneous Requests' creates a
stress condition the server will recover normally from. Using a large
number of load test robots could cause the deadlock condition if all of the
above information is known, conditions are right and all settings are as
described, but our testing indicates a substantially higher number of
automated test robots would be required than the number of Simultaneous
Requests set in the ColdFusion Administrator. Additionally, the attack
could not be initiated via a regular Internet browser issuing repeated
identical requests.

Allaire Security Bulletin ASB00-03 recommends ColdFusion customers use its
patch to relocate temporary cache files to a secure, non-web browser
accessible document directory. Without the information available from a
system where the patch and bulletin recommendations have _not_ been
implemented, the proposed exploit _must_ run a typical denial of service
attack in order to locate a ColdFusion template that uses the <CFCACHE> tag.

Some of the knowledge that the exploit assumes is only available when users
have not implemented the patch or recommendations printed in ASB00-03.

If the attacker does not possess the above inside site information, the
attack would require a very high number and frequency of coordinated
requests in order to find the appropriate attack points and times by blind
trial and error. The attacker also requires perfectly timed and coordinated
load focused against the template whose cache has expired. Further, since
the act of spidering a site's pages causes the pages to be cached, making
them ineligible for this attack.

To circumvent this extremely unlikely possibility of successful attack,
ColdFusion administrators should enable the 'Timeout requests after XX
seconds' setting in the ColdFusion Administrator and set it to an
appropriate number of seconds. If this setting is made and enabled, the
deadlock condition does not occur, and the server can be, at worst,
unavailable for the timeout specified. When the request queue clears, the
server will recover automatically, requiring no restart or any other
intervention.

In summary, ColdFusion server administrators can thoroughly protect
themselves from this specific CFCACHE denial of service attack by following
the best practice of setting default request timeouts in the ColdFusion
administrator, and locating cache map file information securely. For those
ColdFusion sites that do not undertake these precautions, the exposure to
this particular denial of service attack is commensurate to the exposure to
a conventional brute force denial of service attack.

Please feel free to contact me should you have any questions or concerns.

Regards,

Malcolm Gin Security Response Team Coordinator
W: (617) 252-5984 -- mginallaire.com -- http://www.allaire.com/security

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net