The F5’s BIG-IP platform has a Remote Code Execution (RCE) vulnerability: CVE-2022-1388. This is interesting because a Proof of Concept (PoC) was quickly reverse engineered from the patch and published on Twitter, among other places.
Exclude CVE-2022-1388 PoC pic.twitter.com/MmyvQGL6eO
– 416e6e61 (AnnaViolet20) May 9, 2022
HORIZON3.ai Researcher [James Horseman] One commentator wrote that the problem is beautifully illustrated. User authentication is handled by multiple levels, one is the Plugable Authentication Module (PAM) module and the other is internally in Java class. In practice this means if the PAM module sees one
X-F5-Auth-Token, It passes the request in Java code, which then verifies the token to be authentic. If a request comes to the Java service without this title, and instead
X-Forwarded-Host The title is set to local host, the request is accepted without authentication. The F5 authentication scheme is not straightforward, and is a request without it
X-F5-Auth-Token The header is checked by PAM, and is omitted if authentication is not checked out.
So where is the wiggle room that allows for a bypass? Still another HTTP header,
Connection Header It usually comes in only two varieties,
Connection: close And
Connection: keep-alive. Indeed, this title is an indication of the connection between the client and the end proxy, and the content of the connection header is a list of other headings that will be deleted by a proxy. This is basically a list of headers that only apply to connections via the Internet.
Now, this usage is a little vague. Different proxies support this, but apparently not everyone is familiar with this behavior, because the F5 reverse proxy actually respects
Connection Header, and snatch out
X-F5-Auth-Token. After processing the PAM module request, of course. The last puzzle is the piece
Host Header, which is used to create proxies
So PAM Auth sees the headline and passes the request to the Java service without checking the approval. Seeing the opposite proxy
Connection Title, and strip it and Auth head out. It will then rewrite the host title
X-Forwarded-Host. And finally, the back-end accepts the request without an Auth title, according to the local host
X-Forwarded-Host, So it takes it without authentication. Set three custom HTTP headers, and you can avoid authentication. Ouch!
Active Directory Certified
Ah, active directory. At this time, it is AD’s support for authentication through public key certificates. AD can transfer certificates to users and machines in the domain. The difference between the two is that users have a username (UPN) and machines have one
dNSHostName The name UPN requires a strict individuality, however
dNSHostName Oddly enough there is no such need. So you can set up a machine account to have the same
dNSHostName As a domain controller, and what happens?
After a few tweaks to the account, yes, you can actually change the name of a machine account to match the domain controller. Request a PKI certificate for this renamed account, and all of a sudden you get a gold ticket – the rest of the domain thinks you are the moderator. This was fixed in the May 2022 update.
Are you running Aruba or Avaya hardware? While checking for firmware updates, since Armis has just released the TLStorm 2 release. This is similar to the previous problem found in APC battery backup. Again, the NanoSSL library device is embedded in the firmware and contains errors in both library and integration. In both brands, errors allow pre-proof RCE, but fortunately these interfaces do not usually come in contact with the open Internet.
Researchers at Acetenot have looked at the CloudFlare pages, a continuous deployment platform where CloudFlare users drag code from the Github / Gitlab repository, run code on the CloudFlare infrastructure and then host results by running arbitrary build commands.
Fortunately, Pages allows us to specify arbitrary build commands to run builds. So naturally, our website is going to create a reverse shell.
That reverse shell worked, the researchers stepped on the door. They describe the process as much like the Capture the Flag (CTF) competition. The ability to run arbitrary commands as a route within the Build Environment was to capture their first flag. Build script performs an execution
mv Command with build path as its argument. It’s simple, the inclusion of a semicolon makes it easy to execute a command:
The only problem is that before running the build, the path is checked to make sure the directory exists. Not really a problem, because the command is a valid directory name:
mkdir -p ‘f;env>/tmp/bar.txt;echo’ It dropped environment variables from the build and had a GitHub private key in the data. This key was used for all builds, meaning it gave access to all 18290 user archives from other CloudFlare Page users. There are more “flags” in the text, check it out for the rest of the story.
Cloudflare has responded admirably to bug reports, finding evidence in their logs of evidence of exploitation of all reported vulnerabilities. Once they have a strong Compromise Index (IoC) for each of their exploits, they scrub their logs for any signs of actual malicious exploitation. For all these bugs, only hits were associated with the study. The last bug was discovered, in an open Kubernetes API port, not having an accessible IoC, so Cloudflare sent a notification to customers that could reveal the problem. Well done!
Bits and bytes
Ransomware claims to be a fancy victim, Lincoln College, Illinois. Just as the school was returning after the epidemic, their systems were hit by a ransomware attack in December 2021. All the necessary systems were out of commission for about three months and once restored, it became clear that the school was no longer financially viable. Ransomware kills a college. Let that sink.
Finally Microsoft’s browser has been incorrectly classified as malware. Multiple Trend Microsoft customers have reported that a Microsoft Edge file,
msedge_200_percent.pak Was flagged as malware. The bug has been fixed, and Trend Micro has released a script to help clear potential damage from false positives.
Cisco’s NFVIS Virtualization Platform contains a collection of serious issues that have just been announced and patched. The worst of which is a VM escape, which allows an attacker to gain root access to the hypervisor. There is also a pair of injection weaknesses, quite serious. If NFVIS is part of your infrastructure, go ahead and update!