SEC Consult Vulnerability Lab Security Advisory < 20120328-0 > ======================================================================= title: Unauthenticated remote root through SQL injection product: F5 FirePass SSL VPN vulnerable version: 6.0.0 - 6.1.0, 7.0.0 fixed version: 6.1.0 HF-377712-1 / 7.0.0 HF-377712-1 CVE number: CVE-2012-1777 impact: critical homepage: http://www.f5.com found: 2012-02-03 by: Christoph Schwarz / SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "The FirePass SSL VPN" available as an appliance and in a Virtual Edition—provide security, flexibility, and ease of use. It grants access to corporate applications using a technology that everyone understands: a web browser. Users can have secure access from anywhere they have an Internet connection, while FirePass ensures that connected computers are fully patched and protected." "FirePass provides robust, secure SSL VPN remote access to business applications from a wide range of client devices, including Apple iPhone and Windows Mobile devices. Using full-tunnel SSL technology and client access policies defined by system administrators, remote clients can log on to corporate business applications under pre-defined access permissions and client directory control." URL: http://www.f5.com/products/firepass/ Vulnerability overview/description: ----------------------------------- Due to insufficient input validation within the software, an unauthenticated attacker can escalate a critical SQL injection vulnerability to execute arbitrary commands in the context of the administrative super user ("root"). The flaw exists in the my.activation.php3 script in the parameter "state". Proof of concept: ----------------- As the MySQL database runs as root with FILE privileges enabled, an attacker can read/write arbitrary files on the target filesystem. The following payload reads the first character of the /etc/passwd file ('r' for "root"): state=%2527+and+ (case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+ BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+ With MySQL's "into outfile" a simple PHP webshell can be deployed on the vulnerable system. Due to severe configuration issues in the underlying Linux system an attacker can elevate his rights to "root" as no password is set in the /etc/sudoers file. As a proof of concept the password file /etc/shadow could be accessed. An exploit code exists but will not be made public. Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in the FirePass SSL VPN, versions 6.0.0 - 6.1.0 and version 7.0.0, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2012-02-03: Contacting F5 security team via email 2012-02-03: Immediate reply 2012-02-06: Sent exploit description 2012-03-05: F5 status update 2012-03-14: F5 releases hotfix 2012-03-28: Public release of SEC Consult advisory Solution: --------- To patch a FirePass 6.1 system, first make sure that HotFix_610-7 is installed and then install HF-377712-1. To patch a FirePass 7.0 system, first install HotFix_70-5 and then install HF-377712-1. For detailed instructions on how to obtain and apply the patch, refer to the vendor: URL: http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13463.html Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/advisories.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com SGT ::: avi, mei, ben! EOF C. Schwarz / @2012 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/