SEC Consult Vulnerability Lab Security Advisory < 20120328-0 >
=======================================================================
title: Unauthenticated remote root through SQL injection
product: F5 FirePass SSL VPN
vulnerable version: 6.0.0 - 6.1.0, 7.0.0
fixed version: 6.1.0 HF-377712-1 / 7.0.0 HF-377712-1
CVE number: CVE-2012-1777
impact: critical
homepage: www.f5.com
found: 2012-02-03
by: C. Schwarz / SEC Consult Vulnerability Lab
=======================================================================
Vendor/product description:
-----------------------------
"The FirePass SSL VPN" available as an appliance and in a Virtual
Editionprovide security, flexibility, and ease of use. It grants access to
corporate applications using a technology that everyone understands: a web
browser. Users can have secure access from anywhere they have an Internet
connection, while FirePass ensures that connected computers are fully patched
and protected."
"FirePass provides robust, secure SSL VPN remote access to business
applications from a wide range of client devices, including Apple iPhone and
Windows Mobile devices. Using full-tunnel SSL technology and client access
policies defined by system administrators, remote clients can log on to
corporate business applications under pre-defined access permissions and
client directory control."
URL: www.f5.com/products/firepass/
Vulnerability overview/description:
-----------------------------------
Due to insufficient input validation within the software, an
unauthenticated attacker can escalate a critical SQL injection vulnerability
to execute arbitrary commands in the context of the administrative super user
("root"). The flaw exists in the my.activation.php3 script in the parameter
"state".
Proof of concept:
-----------------
As the MySQL database runs as root with FILE privileges enabled, an attacker
can read/write arbitrary files on the target filesystem.
The following payload reads the first character of the /etc/passwd file
('r' for "root"):
state=%2527+and+
(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+With MySQL's "into outfile" a simple PHP webshell can be deployed on the
vulnerable system. Due to severe configuration issues in the underlying Linux
system an attacker can elevate his rights to "root" as no password is set in
the /etc/sudoers file. As a proof of concept the password file /etc/shadow
could be accessed.
An exploit code exists but will not be made public.
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the Firepass SSL VPN,
versions 6.0.0 - 6.1.0 and version 7.0.0, which was the most recent version at
the time of discovery.
Vendor contact timeline:
------------------------
2012-02-03: Contacting F5 security team via email
2012-02-03: Immediate reply
2012-02-06: Sent exploit description
2012-03-05: F5 status update
2012-03-14: F5 releases hotfix
2012-03-28: Public release of SEC Consult advisory
Solution:
---------
To patch a FirePass 6.1 system, first make sure that HotFix_610-7 is installed
and then install HF-377712-1. To patch a FirePass 7.0 system, first install
HotFix_70-5 and then install HF-377712-1. For detailed instructions on how to
obtain and apply the patch, refer to the vendor:
URL: support.f5.com/kb/en-us/solutions/public/13000/400/sol13463.html
Workaround:
-----------
No workaround available.
Advisory URL:
--------------
www.sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
STT ::: avi, mei, s., ben! :::
EOF C. Schwarz / @2012