Unauthenticated remote root through SQL injection in F5 FirePass SSL VPN

SEC Consult Vulnerability Lab Security Advisory < 20120328-0 >

=======================================================================

title: Unauthenticated remote root through SQL injection

product: F5 FirePass SSL VPN

vulnerable version: 6.0.0 - 6.1.0, 7.0.0

fixed version: 6.1.0 HF-377712-1 / 7.0.0 HF-377712-1

CVE number: CVE-2012-1777

impact: critical

homepage: www.f5.com

found: 2012-02-03

by: C. Schwarz / SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor/product description:

-----------------------------

"The FirePass SSL VPN" available as an appliance and in a Virtual

Edition—provide security, flexibility, and ease of use. It grants access to

corporate applications using a technology that everyone understands: a web

browser. Users can have secure access from anywhere they have an Internet

connection, while FirePass ensures that connected computers are fully patched

and protected."

"FirePass provides robust, secure SSL VPN remote access to business

applications from a wide range of client devices, including Apple iPhone and

Windows Mobile devices. Using full-tunnel SSL technology and client access

policies defined by system administrators, remote clients can log on to

corporate business applications under pre-defined access permissions and

client directory control."

URL: www.f5.com/products/firepass/

 

Vulnerability overview/description:

-----------------------------------

Due to insufficient input validation within the software, an

unauthenticated attacker can escalate a critical SQL injection vulnerability

to execute arbitrary commands in the context of the administrative super user

("root"). The flaw exists in the my.activation.php3 script in the parameter

"state".

 

Proof of concept:

-----------------

As the MySQL database runs as root with FILE privileges enabled, an attacker

can read/write arbitrary files on the target filesystem.

The following payload reads the first character of the /etc/passwd file

('r' for "root"):

state=%2527+and+
(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+

With MySQL's "into outfile" a simple PHP webshell can be deployed on the

vulnerable system. Due to severe configuration issues in the underlying Linux

system an attacker can elevate his rights to "root" as no password is set in

the /etc/sudoers file. As a proof of concept the password file /etc/shadow

could be accessed.

An exploit code exists but will not be made public.

 

Vulnerable / tested versions:

-----------------------------

The vulnerability has been verified to exist in the Firepass SSL VPN,

versions 6.0.0 - 6.1.0 and version 7.0.0, which was the most recent version at

the time of discovery.

 

Vendor contact timeline:

------------------------

2012-02-03: Contacting F5 security team via email

2012-02-03: Immediate reply

2012-02-06: Sent exploit description

2012-03-05: F5 status update

2012-03-14: F5 releases hotfix

2012-03-28: Public release of SEC Consult advisory

 

Solution:

---------

To patch a FirePass 6.1 system, first make sure that HotFix_610-7 is installed

and then install HF-377712-1. To patch a FirePass 7.0 system, first install

HotFix_70-5 and then install HF-377712-1. For detailed instructions on how to

obtain and apply the patch, refer to the vendor:

URL: support.f5.com/kb/en-us/solutions/public/13000/400/sol13463.html

 

Workaround:

-----------

No workaround available.

 

Advisory URL:

--------------

www.sec-consult.com/en/advisories.html

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

STT ::: avi, mei, s., ben! :::

EOF C. Schwarz / @2012