lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <9D3433BE-F992-4D19-9AEA-F179F9F8D93C@s21sec.com>
Date: Mon, 4 Jun 2007 11:22:48 +0200
From: S21sec Labs <labs@...sec.com>
To: bugtraq@...urityfocus.com
Subject: S21Sec-035: F5 FirePass command execution vulnerability

##############################################################

                      - S21Sec Advisory -

##############################################################

     Title:   F5 FirePass command execution vulnerability
        ID:   S21SEC-035-en
Severity:   High - Intrusion
   History:   14.Feb.2007 Vulnerability discovered
              22.Feb.2007 Vendor contacted
     Scope:   Linux's shell Command Execution
Platforms:   Linux based Appliance	
    Author:   Leonardo Nve (lnve@...sec.com)
       URL:   http://www.s21sec.com/avisos/s21sec-035-en.txt
   Release:   Public

[ SUMMARY ]

F5's FirePass SSL VPN appliance provides secure access to corporate  
applications and data using a standard web browser.
Delivering outstanding performance, scalability, ease-of-use, and end- 
point security, FirePass helps increase the productivity
of those working from home or on the road while keeping corporate  
data secure.

FirePass provides:

     * Automatic detection of security compliant systems, preventing  
infection.
     * Automatic integration with the largest number of virus  
scanning and personal firewall solutions in the industry
	  (over 100 different AV & Personal Firewall versions).
     * Automatic protection from infected file uploads or email  
attachments.
     * Automatic re-routing and quarantine of infected or non- 
compliant systems to a self remediation network - reducing
	  help desk calls.
     * A secure workspace, preventing eavesdropping and theft of  
sensitive data.
     * Secure Login with a randomized key entry system, preventing  
keystroke logger snooping.
     * Full integration with the FirePass Visual Policy Editor. This  
enables the creation of custom
	  template policies based on the endpoints accessing your network  
and your company's security profile.



[ AFFECTED VERSIONS ]

This vulnerability has been tested in F5 FirePass 4100.


[ DESCRIPTION ]

S21sec has discovered a vulnerability in a F5 FirePass SSL VPN   
script that allows the injection of Linux's shell command under some  
circunstances.
The attacker doesn`t need to be logged in the system in order to  
trigger the exploit

The affected script is:

- my.activation.php3

The variable is:

- username


[ WORKAROUND ]

F5 has published a security advisory at https://tech.f5.com/home/ 
solutions/sol167.html
Additionally, hotfix HF-75705-76003-1 has been issued for supported  
versions of FirePass.
You may download this hotfix or later versions of the hotfix from the  
F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).

[ ACKNOWLEDGMENTS ]

This vulnerability has been discovered and researched by:

- Leonardo Nve <lnve@...sec.com> S21Sec

With thanks to:

- Alberto Moro <amoro@...sec.com> S21Sec


[ REFERENCES ]

* F5 Firepass
   http://www.f5.com/products/FirePass/



* S21Sec
   http://www.s21sec.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ