Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 020

ColdFusion MX 7 Search Service Local Privilege Escalation

Vulnerability Type / Importance: Privilege Escalation / High

Problem Discovered: 8 February 2006

Vendor Contacted: 8 February 2006

Advisory Published: 10 October 2006

Abstract:

A vulnerability in a third party library could allow a malicious local user to execute arbitrary code with the privilege level of the local SYSTEM.

Description:

Multiple stack-based buffer overflows exist in the ColdFusion Search Service, a third party product produced by Verity.

Technical Details:

When connected to the ColdFusion Search Service, which listens on TCP port 9950, using the command-line tool rcadmin.exe, the following commands do not correctly perform boundary checking on buffers that store various parameters:

• adminset
• paraset
• spiderset
• treeset
• wsadd
• wsdel

As the service runs with the privilege level of the local SYSTEM account, exploitation of these buffer overflows results in the ability to execute arbitrary code at that privilege level, which can be used by an attacker to escalate their privileges. By default the service is only accessible from localhost and therefore the attacker must have local access to the server.

Vendor & Patch Information:

Adobe recommends ColdFusion users apply the following update using the installation instructions below.

Windows:

• Stop all ColdFusion services.
• Make a backup of your existing verity directory cfrootverity by copying cfrootverity to cfrootverity_backup:
• Open a DOS window
• enter xcopy /S c:\\CfusionMX7verity c:\\CfusionMX7verity_backup and hit return
• Download the update from the following location:
  http://download.macromedia.com/pub/coldfusion/updater/verity_security_update_windows.zip
• Unzip verity_security_update_windows.zip into cfrootverity. Make sure to unzip using directory names. Select 'Use folder names' when using winzip or use similar options with other zip utilities. Allow all existing files to be overwritten.
• Restart all ColdFusion services.
• Note cfroot by default is C:\\CFusionMX7 for the server version. But, in a JRun or J2EE installation verity is installed into a separate directory of your choosing. That directory should be used in place of cfroot.

Uninstall instructions for patch:

• Stop all ColdFusion services.
• Delete cfrootverity.
• Rename cfrootverity_backup to cfrootverity.

Linux and Solaris:

• Stop all ColdFusion services.
• Make a backup of your existing verity directory cfrootverity by copying cfrootverity to cfrootverity_backup. For example run cp -fR /opt/coldfusionmx7/verity /opt/coldfusionmx7/verity_backup.
• Copy the archive file to cfroot/verity.
• Unzip and untar the update archive (Linux or Solaris) into cfroot/verity:
  http://download.macromedia.com/pub/coldfusion/updater/verity_security_update_solaris.tar.gz
  http://download.macromedia.com/pub/coldfusion/updater/verity_security_update_linux.tar.gz
• All executable files should have permissions of 755. Text files should have permissions of 444.
• Restart ColdFusion.

Uninstall instructions for patch:

• Stop all ColdFusion services
• Delete cfrootverity
• Rename/move cfrootverity_backup to cfrootverity

Workaround:

The Verity Library can be disabled:
The ColdFusion MX 7 J2EE requires a separate installation of the Verity search engine. ColdFusion MX 7 J2EE users should simply not install it or uninstall it, if it is already installed.
Windows:
Open the services msc applet and stop, "ColdFusion MX 7 Search Server". Set the service to manual or disabled. Users can also run cfmx_rootverityverity-uninstall.bat to remove the configuration.
Linux:
Run cfmx_root/bin/cfmx7search stop.
Remove cfmx7search from etc/rc.d/init.d, if server was configured to start Verity upon boot. Users can run cfmx_root/verity/verity_uninstall.sh to remove the Verity configuration.
Solaris:
Run cfmx_root/bin/cfmx7search stop.
Remove any startup script for cfmx7search, if server was configured to start Verity upon boot. Users can run cfmx_root/verity/verity_uninstall.sh to remove the Verity configuration.

Tested Versions:

ColdFusion MX 7, ColdFusion MX 7.0.1, and ColdFusion MX 7.0.2

Credits:

Research & Advisory: A Davis and R Marcos

Disclaimer:

All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.