[12503] in bugtraq
Re: BigIP - bigconf.cgi holes
daemon@ATHENA.MIT.EDU (Rob Gilde)
Tue Nov 9 15:24:27 1999
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BF2AE8.F16F11E0"
Message-Id: <111627409F79D2119FB100A0C9EEDC3ED735F4@f5-exchange.win.net>
Date: Tue, 9 Nov 1999 11:30:55 -0800
Reply-To: Rob Gilde <r.gilde@F5.COM>
From: Rob Gilde <r.gilde@F5.COM>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF2AE8.F16F11E0
Content-Type: text/plain;
charset="iso-8859-1"
Guy Cohen wrote:
| The html interface basicly operates one program, bigconf.cgi, witch is
| installed suid root. I have not spend much time learning how to exploit this
| program, but from the bits I did, I was able to look at _any_ file
| on the system simply by giving it's name to the cgi program (with appropriate
| parameters of course).
|
| The risk here is not from the outside, as the http server is protected
| by a password, but from internal users. Less risk, but still ...
Guy is discussing an issue that affects older versions of BIG/ip.
As he points out, the risk is from internal users. In older versions
of BIG/ip, there is effectively only one user and that user has root
privileges. That user could execute commands as root through a shell
escape in our web-based user interface.
As of Version 2.1, this is no longer possible. The current version
of BIG/ip is 2.1.2. The software update is available for free over
the net to all customers with support contracts.
In Version 2.1, in response to customer feedback, we removed the shell
escape capability and also changed to multiple user levels in the
web-based user interface.
BIG/ip is a default-deny device, both for administrative traffic to it,
and for traffic passing through it. The product uses SSH for command
line access and SSL for web access. We welcome any feedback on how we
can make the product more secure.
Thanks!
Rob Gilde
Product Development Manager
voice: 206-505-0857
email: rob@f5.com
F5 Networks, Inc.
200 First Avenue West, Suite 500
Seattle, WA 98119
http://www.f5.com
1-888-88BIGIP
------_=_NextPart_001_01BF2AE8.F16F11E0
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2448.0">
<TITLE>Re: BigIP - bigconf.cgi holes</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Guy Cohen wrote:</FONT>
<BR><FONT SIZE=2>| The html interface basicly operates one program, bigconf.cgi, witch is </FONT>
<BR><FONT SIZE=2>| installed suid root. I have not spend much time learning how to exploit this </FONT>
<BR><FONT SIZE=2>| program, but from the bits I did, I was able to look at _any_ file </FONT>
<BR><FONT SIZE=2>| on the system simply by giving it's name to the cgi program (with appropriate </FONT>
<BR><FONT SIZE=2>| parameters of course). </FONT>
<BR><FONT SIZE=2>| </FONT>
<BR><FONT SIZE=2>| The risk here is not from the outside, as the http server is protected </FONT>
<BR><FONT SIZE=2>| by a password, but from internal users. Less risk, but still ... </FONT>
</P>
<P><FONT SIZE=2>Guy is discussing an issue that affects older versions of BIG/ip. </FONT>
<BR><FONT SIZE=2>As he points out, the risk is from internal users. In older versions </FONT>
<BR><FONT SIZE=2>of BIG/ip, there is effectively only one user and that user has root </FONT>
<BR><FONT SIZE=2>privileges. That user could execute commands as root through a shell </FONT>
<BR><FONT SIZE=2>escape in our web-based user interface. </FONT>
</P>
<P><FONT SIZE=2>As of Version 2.1, this is no longer possible. The current version </FONT>
<BR><FONT SIZE=2>of BIG/ip is 2.1.2. The software update is available for free over </FONT>
<BR><FONT SIZE=2>the net to all customers with support contracts.</FONT>
</P>
<P><FONT SIZE=2>In Version 2.1, in response to customer feedback, we removed the shell </FONT>
<BR><FONT SIZE=2>escape capability and also changed to multiple user levels in the </FONT>
<BR><FONT SIZE=2>web-based user interface.</FONT>
</P>
<P><FONT SIZE=2>BIG/ip is a default-deny device, both for administrative traffic to it, </FONT>
<BR><FONT SIZE=2>and for traffic passing through it. The product uses SSH for command </FONT>
<BR><FONT SIZE=2>line access and SSL for web access. We welcome any feedback on how we </FONT>
<BR><FONT SIZE=2>can make the product more secure. </FONT>
</P>
<P><FONT SIZE=2>Thanks!</FONT>
</P>
<BR>
<P><FONT SIZE=2>Rob Gilde</FONT>
<BR><FONT SIZE=2>Product Development Manager</FONT>
<BR><FONT SIZE=2>voice: 206-505-0857</FONT>
<BR><FONT SIZE=2>email: rob@f5.com</FONT>
</P>
<P><FONT SIZE=2>F5 Networks, Inc.</FONT>
<BR><FONT SIZE=2>200 First Avenue West, Suite 500</FONT>
<BR><FONT SIZE=2>Seattle, WA 98119</FONT>
<BR><FONT SIZE=2><A HREF="http://www.f5.com" TARGET="_blank">http://www.f5.com</A></FONT>
<BR><FONT SIZE=2>1-888-88BIGIP</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BF2AE8.F16F11E0--
