F5 BIG-IQ v4.1.0.2013.0 authenticated arbitrary user password change

2014.05.02

Credit: volatile-minds

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

F5 BIG-IQ is vulnerable to an input validation attack that allows an authenticated user to increase their privileges to that of another user. This allows an authenticated user with 0 roles to take on the roles of, say, admin or root. The user could then change the password of any other user (without logging out). If SSH is enabled (which is by default), then the user could change the root user&#8217;s password and log in over SSH.
We start off with our user with 0 roles whom is highlighted below. In this picture, 'someguy' is the username used to log in with, 'woot' is his first name. We are currently logged in as a previously escalated user (top right corner says username, another user with previously 0 roles :P ).
After authenticating, a user with 0 roles is still able to change their password. Below is what a user would be presented with after clicking the gear in the top right corner of the user box. The gear only appears after hovering over the user. There should only be one. It *does not* ask for the current password.
Clicking the save button will create a request that looks like the picture below. The two key parts are the 'name' and 'generation' keys. Both will need to be manipulated generally in order to change another user's password programmatically and successfully. generation is incremented on each password change.
Within the above request, by changing the 'name' key to another user's username (such as root or admin), the user changing the password will magically have the impersonated user's privileges. However, your displayed username (what was someguy) will now be the one used in the request. So if you used root, your displayed username will now be root. You will still log in with someguy After gaining the permissions of the other user, you immediately see the other users you can edit. Notice the username in the top right is &#8216;someguy', but the one displayed under your woot first name is root. It will be visible to other users like this. You may now edit any of these users as you please. root is the system root user.
Read more:
http://volatile-minds.blogspot.nl/2014/05/f5-big-iq-v41020130-authenticated.html

References:

http://volatile-minds.blogspot.nl/2014/05/f5-big-iq-v41020130-authenticated.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

F5 BIG-IQ v4.1.0.2013.0 authenticated arbitrary user password change

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.