F5 FirePass SSL VPN 6.x / 7.x SQL Injection

`SEC Consult Vulnerability Lab Security Advisory < 20120328-0 >  
=======================================================================  
title: Unauthenticated remote root through SQL injection  
product: F5 FirePass SSL VPN  
vulnerable version: 6.0.0 - 6.1.0, 7.0.0  
fixed version: 6.1.0 HF-377712-1 / 7.0.0 HF-377712-1  
CVE number: CVE-2012-1777  
impact: critical  
homepage: http://www.f5.com  
found: 2012-02-03  
by: Christoph Schwarz / SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor/product description:  
-----------------------------  
"The FirePass SSL VPN" available as an appliance and in a Virtual  
Edition—provide security, flexibility, and ease of use. It grants  
access to corporate applications using a technology that everyone  
understands: a web browser. Users can have secure access from anywhere  
they have an Internet connection, while FirePass ensures that connected  
computers are fully patched and protected."  
  
"FirePass provides robust, secure SSL VPN remote access to business  
applications from a wide range of client devices, including Apple  
iPhone and Windows Mobile devices. Using full-tunnel SSL technology  
and client access policies defined by system administrators, remote  
clients can log on to corporate business applications under pre-defined  
access permissions and client directory control."  
  
URL: http://www.f5.com/products/firepass/  
  
  
Vulnerability overview/description:  
-----------------------------------  
Due to insufficient input validation within the software, an  
unauthenticated attacker can escalate a critical SQL injection  
vulnerability to execute arbitrary commands in the context of the  
administrative super user ("root"). The flaw exists in the  
my.activation.php3 script in the parameter "state".  
  
  
Proof of concept:  
-----------------  
As the MySQL database runs as root with FILE privileges enabled, an  
attacker can read/write arbitrary files on the target filesystem.  
  
The following payload reads the first character of the /etc/passwd file  
('r' for "root"):  
  
state=%2527+and+  
(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+  
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+  
  
With MySQL's "into outfile" a simple PHP webshell can be deployed on the  
vulnerable system. Due to severe configuration issues in the  
underlying Linux system an attacker can elevate his rights to "root" as  
no password is set in the /etc/sudoers file. As a proof of concept the  
password file /etc/shadow could be accessed.   
  
An exploit code exists but will not be made public.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerability has been verified to exist in the FirePass SSL VPN,  
versions 6.0.0 - 6.1.0 and version 7.0.0, which was the most recent  
version at the time of discovery.  
  
  
Vendor contact timeline:  
------------------------  
2012-02-03: Contacting F5 security team via email  
2012-02-03: Immediate reply  
2012-02-06: Sent exploit description  
2012-03-05: F5 status update  
2012-03-14: F5 releases hotfix  
2012-03-28: Public release of SEC Consult advisory  
  
  
Solution:  
---------  
To patch a FirePass 6.1 system, first make sure that HotFix_610-7 is  
installed and then install HF-377712-1. To patch a FirePass 7.0 system,  
first install HotFix_70-5 and then install HF-377712-1. For detailed  
instructions on how to obtain and apply the patch, refer to the vendor:  
  
URL:  
http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13463.html  
  
  
Workaround:  
-----------  
No workaround available.  
  
  
Advisory URL:  
--------------  
https://www.sec-consult.com/en/advisories.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
SGT ::: avi, mei, ben!  
EOF C. Schwarz / @2012  
  
`