About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

F5 BIG-IP and iControl REST Vulnerabilities and Exposures- 1028

Ron Bowes - Rapid 7Posted 3 Years Ago
  • BIG-IP is a family of products from F5 is an application delivery service. There is a suite of internal APIs for admins only that tends to only be exposed on the LAN that the device exists on though. This article is a dive into that.
  • The first CVE is a large chain of security issues. They first found a trivial command injection on a binary called f5_update_checker. This happens via a file called f5_update_action; simply adding a command injection payload into this file gives code execution.
  • But, this really isn't a huge problem since you need to be able to write a file to the system to do this. This only becomes a problem if we can write a file. While playing around with the admin SOAP API, they obtained the ability to write a file to an arbitrary location with arbitrary content. See where this is going!?
  • Additionally, the SOAP API was vulnerable to CSRF, since it lacked proper cookie flags and other protections. The thing is, the browser would send a pre-flight request with an XML request, making this not possible. The author put the XML into a form with a plaintext content-type.
  • From there, they came to another problem: a form will use a key=value format! This would corrupt the XML payload being sent. However, XML allows for comments! So, the key became <!-- and the value became --> REGULAR XML.... This comments out the equals sign (=) from the form submission, making this valid XML. Amazing.
  • The SOAP API runs as root but Big IP has SELinux as well. This means that obvious areas of attack like /etc/profile.d cannot be written to. They noticed a symbolic link within the directory for a bash script that went into /var/run/config/timeout.sh. Since this location isn't protected by SELinux, this ended up being a bypass, as well as the code execution method mentioned above.
  • With the CSRF, arbitrary file write and command injection/SELinux bypass, we've got code execution on Big IP. The second RCE method was a newline injection into rpmspec files via another administrative API. Since this file is used to create RPM files, adding in new parameters/fields leads to the execution of arbitrary shell commands.
  • Overall, awesome post and I was happy to talk to the author at Hushcon this year to get more information about the CSRF issue.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed