Command Injection in F5 iRules

Presented at Black Hat USA 2019, Aug. 8, 2019, 5 p.m. (60 minutes)

BigIP F5 products are used by large corporations and governments all around the world. Its performance and load sharing capabilities has made it a preferred choice as reverse proxy to route web traffic in complex high performance projects. The F5 product contains a subset of rules written in a language called iRules developed from the scripting language TCL. TCL language interpretation is defined in a set of rules called the dodekalogue. Common misinterpretations of the dodekalogue often leaves iRules exposed to security vulnerabilities. An attacker can inject iRule code in to a request and force the load balancer to execute remote code, sniff connections or scan internal networks. Organizations using F5 with iRules will be made aware of how to find and avoid writing vulnerable code along with a demonstration of the consequences of post exploitation of this vulnerability. An attacker that successfully exploits iRule injections can gain a foothold in the F5 device memory, break out of the TCL interpreter and cause severe damage without leaving a trace in logging facilities. The research includes code scanning and automatic exploitation tools to detect and eliminate the iRule injection vulnerability from a running F5 instance.


Presenters:

  • Christoffer Jerkeby - Senior Security Consultant, F-Secure
    Christoffer Jerkeby is a security researcher working as a consultant for F-Secure Sweden. He has previously worked in telecom security research for many years and has become known from talks on Travel card hacking at SEC-T Stockholm in 2010. Christoffer is an organizer behind the Danish hacker camp Bornhack and one of the founders behind the first Swedish hackerspace Forskningsavdelningen in Malmö. Christoffers research has ranged from writing the specification for GlobalPlatform TEE Socket/TLS API, Bluetooth Mesh security to finding Qubes vulnerabilities, Wi-Fi vulnerability research, VPN de-anonymization and GSM fuzzing.

Links: