S21Sec-035: F5 FirePass command execution vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: S21Sec-035: F5 FirePass command execution vulnerability
From: S21sec Labs <labs@xxxxxxxxxx>
Date: Mon, 4 Jun 2007 11:22:48 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

##############################################################

                     - S21Sec Advisory -

##############################################################

    Title:   F5 FirePass command execution vulnerability
       ID:   S21SEC-035-en
Severity:   High - Intrusion
  History:   14.Feb.2007 Vulnerability discovered
             22.Feb.2007 Vendor contacted
    Scope:   Linux's shell Command Execution
Platforms:   Linux based Appliance      
   Author:   Leonardo Nve (lnve@xxxxxxxxxx)
      URL:   http://www.s21sec.com/avisos/s21sec-035-en.txt
  Release:   Public

[ SUMMARY ]

F5's FirePass SSL VPN appliance provides secure access to corporateapplications and data using a standard web browser.Delivering outstanding performance, scalability, ease-of-use, and end-point security, FirePass helps increase the productivityof those working from home or on the road while keeping corporatedata secure.


FirePass provides:

* Automatic detection of security compliant systems, preventinginfection.* Automatic integration with the largest number of virusscanning and personal firewall solutions in the industry

          (over 100 different AV & Personal Firewall versions).

* Automatic protection from infected file uploads or emailattachments.* Automatic re-routing and quarantine of infected or non-compliant systems to a self remediation network - reducing

          help desk calls.

* A secure workspace, preventing eavesdropping and theft ofsensitive data.* Secure Login with a randomized key entry system, preventingkeystroke logger snooping.* Full integration with the FirePass Visual Policy Editor. Thisenables the creation of customtemplate policies based on the endpoints accessing your networkand your company's security profile.




[ AFFECTED VERSIONS ]

This vulnerability has been tested in F5 FirePass 4100.


[ DESCRIPTION ]

S21sec has discovered a vulnerability in a F5 FirePass SSL VPNscript that allows the injection of Linux's shell command under somecircunstances.The attacker doesn`t need to be logged in the system in order totrigger the exploit


The affected script is:

- my.activation.php3

The variable is:

- username


[ WORKAROUND ]

F5 has published a security advisory at https://tech.f5.com/home/solutions/sol167.htmlAdditionally, hotfix HF-75705-76003-1 has been issued for supportedversions of FirePass.You may download this hotfix or later versions of the hotfix from theF5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).


[ ACKNOWLEDGMENTS ]

This vulnerability has been discovered and researched by:

- Leonardo Nve <lnve@xxxxxxxxxx> S21Sec

With thanks to:

- Alberto Moro <amoro@xxxxxxxxxx> S21Sec


[ REFERENCES ]

* F5 Firepass
  http://www.f5.com/products/FirePass/



* S21Sec
  http://www.s21sec.com

Prev by Date: CACTUSHOP 6 Default Installation Allows Remote Database Disclosure
Next by Date: Assorted browser vulnerabilities
Previous by thread: CACTUSHOP 6 Default Installation Allows Remote Database Disclosure
Next by thread: Assorted browser vulnerabilities
Index(es):
- Date
- Thread