NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2007-06

S21Sec-035: F5 FirePass command execution vulnerability

From: S21sec Labs (labss21sec.com)
Date: Mon Jun 04 2007 - 04:22:48 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

##############################################################

- S21Sec Advisory -

##############################################################

     Title: F5 FirePass command execution vulnerability
        ID: S21SEC-035-en
Severity: High - Intrusion
   History: 14.Feb.2007 Vulnerability discovered
              22.Feb.2007 Vendor contacted
     Scope: Linux's shell Command Execution
Platforms: Linux based Appliance
    Author: Leonardo Nve (lnves21sec.com)
       URL: http://www.s21sec.com/avisos/s21sec-035-en.txt
   Release: Public

[ SUMMARY ]

F5's FirePass SSL VPN appliance provides secure access to corporate
applications and data using a standard web browser.
Delivering outstanding performance, scalability, ease-of-use, and end-
point security, FirePass helps increase the productivity
of those working from home or on the road while keeping corporate
data secure.

FirePass provides:

     * Automatic detection of security compliant systems, preventing
infection.
     * Automatic integration with the largest number of virus
scanning and personal firewall solutions in the industry
          (over 100 different AV & Personal Firewall versions).
     * Automatic protection from infected file uploads or email
attachments.
     * Automatic re-routing and quarantine of infected or non-
compliant systems to a self remediation network - reducing
          help desk calls.
     * A secure workspace, preventing eavesdropping and theft of
sensitive data.
     * Secure Login with a randomized key entry system, preventing
keystroke logger snooping.
     * Full integration with the FirePass Visual Policy Editor. This
enables the creation of custom
          template policies based on the endpoints accessing your network
and your company's security profile.

[ AFFECTED VERSIONS ]

This vulnerability has been tested in F5 FirePass 4100.

[ DESCRIPTION ]

S21sec has discovered a vulnerability in a F5 FirePass SSL VPN
script that allows the injection of Linux's shell command under some
circunstances.
The attacker doesn`t need to be logged in the system in order to
trigger the exploit

The affected script is:

- my.activation.php3

The variable is:

- username

[ WORKAROUND ]

F5 has published a security advisory at https://tech.f5.com/home/
solutions/sol167.html
Additionally, hotfix HF-75705-76003-1 has been issued for supported
versions of FirePass.
You may download this hotfix or later versions of the hotfix from the
F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).

[ ACKNOWLEDGMENTS ]

This vulnerability has been discovered and researched by:

- Leonardo Nve <lnves21sec.com> S21Sec

With thanks to:

- Alberto Moro <amoros21sec.com> S21Sec

[ REFERENCES ]

* F5 Firepass
http://www.f5.com/products/FirePass/

* S21Sec
http://www.s21sec.com

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]