Thursday, May 1, 2014

F5 BIG-IQ v4.1.0.2013.0 authenticated arbitrary user password change

F5 BIG-IQ is vulnerable to an input validation attack that allows an authenticated user to increase their privileges to that of another user. This allows an authenticated user with 0 roles to take on the roles of, say, admin or root. The user could then change the password of any other user (without logging out). If SSH is enabled (which is by default), then the user could change the root user’s password and log in over SSH. Module here.

We start off with our user with 0 roles whom is highlighted below. In this picture, ‘someguy’ is the username used to log in with, ‘woot’ is his first name. We are currently logged in as a previously escalated user (top right corner says username, another user with previously 0 roles :P ).

After authenticating, a user with 0 roles is still able to change their password. Below is what a user would be presented with after clicking the gear in the top right corner of the user box. The gear only appears after hovering over the user. There should only be one. It *does not* ask for the current password.

Clicking the save button will create a request that looks like the picture below. The two key parts are the “name” and “generation” keys. Both will need to be manipulated generally in order to change another user’s password programmatically and successfully. “generation” is incremented on each password change.

Within the above request, by changing the “name” key to another user’s username (such as root or admin), the user changing the password will magically have the impersonated user’s privileges. However, your displayed username (what was someguy) will now be the one used in the request. So if you used ‘root’, your displayed username will now be root. You will still log in with ‘someguy’. After gaining the permissions of the other user, you immediately see the other users you can edit. Notice the username in the top right is ‘someguy’, but the one displayed under your ‘woot’ first name is ‘root’. It will be visible to other users like this. You may now edit any of these users as you please. ‘root’ is the system root user.

1 comment:

  1. Thank Brandon for the vuln info. I have been sharing your link with many of the people who follow my blog. Hope you don't mind. Again thanks for the informative info as always