This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

SCG D BIGIP

From OWASP
Revision as of 11:28, 18 December 2014 by Dnkolegov (talk | contribs) (References)

Jump to: navigation, search


Summary

The BIG-IP family of products offers the application intelligence network managers need to ensure applications are fast, secure and available. All BIG-IP products share a common underlying architecture, F5's Traffic Management Operating System (TMOS), which provides unified intelligence, flexibility and programmability. Together, BIG-IP's powerful platforms, advanced modules, and centralized management system make up the most comprehensive set of application delivery tools in the industry.

BIG-IP devices work on a modular system, which enables to add new functions as necessary to quickly adapt to changing application and business needs. The following modules are currently available for the BIG-IP system:

  • Application Acceleration Manager (AAM)
  • Advanced Firewall Manager (AFM)
  • Access Policy Manager (APM)
  • Application Security Manger (ASM)
  • Global Traffic Manager (GTM)
  • Link Controller (LC)
  • Local Traffic Manager (LTM)
  • Protocol Security Module (PSM)

Common Misconfigurations

BIG-IP persistence cookie information leakage

Description

An attacker can decode BIG-IP persistence cookie and receive sensitive information about internal network.

// Detailed description of the impact. Is it enabled by default? Vulnerable versions.

To implement persistence sessions BIG-IP system inserts a cookie into the HTTP response, which well-behaved clients include in subsequent HTTP requests for the host name until the cookie expires. The cookie, by default, is named BIGipServer<pool_name>. The cookie is set to expire based on the time-out configured in the persistence profile. The cookie value contains the encoded IP address and port of the destination server [1] in the following format: BIGipServer<pool name> = <coded server IP>.<coded server port>.0000

After decoding [2] this value an attacker receives an internal IP address and port number of backend servers. In some cases an attacker can also retreive sensitive informaion via <pool_name> value in the cookie name. For example, if an administrator give meaningful name to server pool (e.g. Sharepoint, 10.1.1.0, AD_prod) an attacker will get some additional information about network.

How to test

1. Find a cookie with name beginning with BIGipServer. 2. If the cookie value has the format described above then decode <coded server IP> and <coded server port> parts. 3. Analyze suffix of BIGipServer cookie name.

EXAMPLE 1

This example shows a GET request to BIG-IP with LTM module and response containing BIGipServer cookie.

GET https://x.x.x.x/ HTTP/1.1
Host: x.x.x.x

Result Expected:

HTTP/1.1 200 OK
Set-Cookie: BIGipServerOldOWA=110536896.20480.0000; path=/


Here we can see that pool has the meaningful name OldOWA and get the following destination server address:

  • IP Address = 192.168.150.6
  • Port = 80.

// Proof-of-concept here. Please include the screenshots and widely known tools/scanners!

Remediation

Initial/common value of parameter "listUsers" from config.xml is set to "true".

To assess the vulnerability it is enough to change the value to false:

<security>
	<listUsers>false</listUsers>
</security>

Misconfiguration 2

...


References

// please also include links to already existing OWASP pages!