what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

F5 FirePass SSL VPN 6.x / 7.x SQL Injection

F5 FirePass SSL VPN 6.x / 7.x SQL Injection
Posted Mar 29, 2012
Authored by Christoph Schwarz | Site sec-consult.com

F5 FirePass SSL VPN versions 6.0.0 through 6.1.0 and 7.0.0 suffers from a remote SQL injection vulnerability that allows for remote root access.

tags | exploit, remote, root, sql injection
advisories | CVE-2012-1777
SHA-256 | 17285d0e33742a99873151808caad6a558a6294c4e724dc671bd743f0057ab6d

F5 FirePass SSL VPN 6.x / 7.x SQL Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20120328-0 >
=======================================================================
title: Unauthenticated remote root through SQL injection
product: F5 FirePass SSL VPN
vulnerable version: 6.0.0 - 6.1.0, 7.0.0
fixed version: 6.1.0 HF-377712-1 / 7.0.0 HF-377712-1
CVE number: CVE-2012-1777
impact: critical
homepage: http://www.f5.com
found: 2012-02-03
by: Christoph Schwarz / SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
-----------------------------
"The FirePass SSL VPN" available as an appliance and in a Virtual
Edition—provide security, flexibility, and ease of use. It grants
access to corporate applications using a technology that everyone
understands: a web browser. Users can have secure access from anywhere
they have an Internet connection, while FirePass ensures that connected
computers are fully patched and protected."

"FirePass provides robust, secure SSL VPN remote access to business
applications from a wide range of client devices, including Apple
iPhone and Windows Mobile devices. Using full-tunnel SSL technology
and client access policies defined by system administrators, remote
clients can log on to corporate business applications under pre-defined
access permissions and client directory control."

URL: http://www.f5.com/products/firepass/


Vulnerability overview/description:
-----------------------------------
Due to insufficient input validation within the software, an
unauthenticated attacker can escalate a critical SQL injection
vulnerability to execute arbitrary commands in the context of the
administrative super user ("root"). The flaw exists in the
my.activation.php3 script in the parameter "state".


Proof of concept:
-----------------
As the MySQL database runs as root with FILE privileges enabled, an
attacker can read/write arbitrary files on the target filesystem.

The following payload reads the first character of the /etc/passwd file
('r' for "root"):

state=%2527+and+
(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+

With MySQL's "into outfile" a simple PHP webshell can be deployed on the
vulnerable system. Due to severe configuration issues in the
underlying Linux system an attacker can elevate his rights to "root" as
no password is set in the /etc/sudoers file. As a proof of concept the
password file /etc/shadow could be accessed.

An exploit code exists but will not be made public.


Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the FirePass SSL VPN,
versions 6.0.0 - 6.1.0 and version 7.0.0, which was the most recent
version at the time of discovery.


Vendor contact timeline:
------------------------
2012-02-03: Contacting F5 security team via email
2012-02-03: Immediate reply
2012-02-06: Sent exploit description
2012-03-05: F5 status update
2012-03-14: F5 releases hotfix
2012-03-28: Public release of SEC Consult advisory


Solution:
---------
To patch a FirePass 6.1 system, first make sure that HotFix_610-7 is
installed and then install HF-377712-1. To patch a FirePass 7.0 system,
first install HotFix_70-5 and then install HF-377712-1. For detailed
instructions on how to obtain and apply the patch, refer to the vendor:

URL:
http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13463.html


Workaround:
-----------
No workaround available.


Advisory URL:
--------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

SGT ::: avi, mei, ben!
EOF C. Schwarz / @2012

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close