Adobe ColdFusion Heap Buffer Overflow Vulnerability
SonicWall Capture Labs Threat Research Team has observed the following threat:
Adobe ColdFusion is an application development platform by Adobe Systems. It is an IDE used to develop web applications and supports a full scripting language, ColdFusion Markup Language (CFML). Since ColdFusion MX 6.0, the server component runs within a Java Runtime Environment (JRE). The ColdFusion Administrator organizes information about all ColdFusion server database connections in a single location. ColdFusion provides a number of supplied drivers for connecting to multiple databases specifically the ODBC Socket.
The ODBC Socket is the data source relevant to the understanding of this vulnerability. ODBC Socket is a type of database driver that allows applications to connect to a database using the Open Database Connectivity (ODBC) interface, but instead of connecting directly to the database, the driver connects to a server that acts as a bridge between the application and the database. The "socket," receives the applications requests and translates them into the appropriate format for the database, and then sends the results back to the application. The use of a socket allows for greater flexibility and scalability, as the socket can be configured to connect to multiple databases, and can also be used to add security features such as encryption and authentication.
A heap-based and stack-based buffer overflow vulnerability exists in Adobe ColdFusion ODBC Server component. This vulnerability is due the lack of proper validation of user-supplied data, which can result in a buffer overflow.
A remote, unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the target service. In the worst case, successful exploitation could result in arbitrary code execution with privileges of SYSTEM.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-35711.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).
Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is unproven.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
It's important to have a good understanding of the General Inter-ORB Protocol (GIOP) and the Internet Inter-ORB Protocol (IIOP) before moving further into a vulnerability that utilizes them. These protocols are used for communication between objects in a distributed system, and are based on the Common Object Request Broker Architecture (CORBA) standard. Understanding the message format and structure, as well as the different types of messages that can be sent, is essential for properly implementing and utilizing these protocols. Additionally, knowing the specific endpoint or location on the network where IIOP traffic is being sent or received is important for proper routing and communication. Without a solid understanding of GIOP and IIOP, it may be difficult to properly implement and utilize the features and functionality provided by these protocols.
When the component receives the GIOP packet, it first calls the function swsoc.exe+0xcd070() to check that Magic Bytes field is set to "GIOP". Next, function swsoc.exe+0xcc620() is called, which checks if ServiceContext and the Principal fields are set to 0. This function also checks that Object Key is set to "IIOP:slx::" and Operation is set to "SSP". Next, function swsoc.exe+0xd0160() is called that checks an unknown field in the request body. The opcodes are processed, one at a time, in a loop in the function swsoc.exe+0xcd910().
In this loop, the vulnerable opcode 8 will be examined. If the opcode is encountered, the C library function memmove() will be called that uses the OpcodeDataSize field as the size parameter to move the bytes in the Data field to a heap buffer. By supplying an OpcodeDataSize value larger than 38, the vulnerable heap-buffer will be overrun.
Triggering the Problem:
• The target host must have the vulnerable version of the software installed and running.
• The attacker must have network connectivity to the target server.
The attacker sends a crafted GIOP request message to the ODBC Server. The GIOP message contains an overly large OpcodeDataSize value.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
SonicWall's, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 3466 Adobe ColdFusion GIOP Heap Buffer Overflow
The risks posed by this vulnerability can be mitigated or eliminated by:
• Filtering network traffic using the signature above.
• Blocking the affected ports from external network access if they are not required.
• Updating to a non-vulnerable version of the product by applying the vendor provided patch.
The vendor has released the following advisory regarding this vulnerability: