Aerosol Posted May 6, 2015 Report Share Posted May 6, 2015 Details=======Product: F5 BIG-IP Application Security Manager (ASM)Vulnerability: Web Application Firewall BypassAuthor: Peter Lapp, lappsec () gmail comCVE: None assignedVulnerable Versions: Confirmed 11.4.0, 11.4.1. Should apply to all releases.Fixed Version: NoneSummary=======The F5 ASM is a web application firewall designed to protect webapplications from attacks. Due to the way that the system processesJSON content, it's possible to bypass the ASM using a crafted requestto a URL that processes both JSON and regular URL encoded requests.The vendor has acknowledged that this is an issue and has indicatedthat a fix will be released sometime in the future, but doesn't have atime frame and it's not a priority. I decided to release the detailsso anyone with a vulnerable configuration is aware of the risk and canact accordingly.Technical Details=================The problem is that the ASM's JSON parser does not normalize URLencoded content. So it will block <script>, but not %3cscript%3e. Thisis fine unless you have a JSON profile applied to a URL that alsoprocesses normal x-www-form-urlencoded POST requests. In this case,it's possible to trick the ASM into thinking the request is JSON, URLencode your payload, and slip it through to the application.Granted, this bypass is limited to a specific configuration, but it'sreally not that uncommon to have a JSON profile applied to a URL thatalso processes other data. Possible scenarios include a generic JSONcatchall, one automatically created by the policy builder, or you mayhave a web application that uses parameter based navigation (page=jsongoes to one page, page=search goes to another). In any case, if youhave a JSON profile applied to a URL that also handles POST requestswith x-www-form-urlencoded content, you're vulnerable.First, in order to bypass the ASM, you have to trick it into thinkingthe request content is JSON. In F5's documentation(https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/14.html),they recommend matching *json* in the Content-Type header. This iseasily tricked by setting the header to "Content-Type:application/x-www-form-urlencoded; charset=UTF-8;json".I then tested setting it to only match on application/json, but thatwas still tricked by dual content-type headers:Content-Type: application/x-www-form-urlencoded; charset=UTF-8Content-Type: application/jsonThe application (running on Tomcat) processed the request asurlencoded, but the ASM processed it as JSON.>From here, passing through a malicious payload depends on theviolations that are enabled on the security profile. If Malformed JSONis NOT enabled, you can just tag "json" onto the end of the contentheader(or double the header), URL encode special characters in yourpayload and send it away. In this case, a request like the followingwould not be blocked:POST / HTTP/1.1Host: x.x.x.xConnection: keep-aliveContent-Length: 168Content-Type: application/x-www-form-urlencoded; charset=UTF-8;jsonsearch=%3cimg+src%3dx+onerror%3alert%280%29%3eIf Malformed JSON violations are enabled, then the payload has to bevalid JSON. A request like the one below will get past that. It's notpretty but it works. This request will get past the ASM with all thebells and whistles enabled.POST / HTTP/1.1Host: x.x.x.xConnection: keep-aliveContent-Length: 168Content-Type: application/x-www-form-urlencoded; charset=UTF-8;json{"junkparam=&search=%3cimg+src%3dx+onerror%3dalert%280%29%3e&junkparam2=":"junk"}The ASM parses that as JSON and it is well formed so there aren't anyerrors. But the application is processing it as x-www-form-urlencodedso {"junkparam is just treated as a regular parameter name and thesecond parameter with the payload in it gets through. The lastparameter is there just to close out the JSON format.Also, because JSON profiles don't check for meta characters inparameter names, it doesn't trigger an Illegal meta character inparameter name violation. If the payload looked like this{"param":"junkparam=&locationFilter=%3cimg+src%3dx+onerror%3dalert%280%29%3e&junkparam2="}then it would still get through but only if the illegal meta characterin value violation was not set to block.Right now there is no fix for this issue and I haven't been able tofind a way to block a request like the one above from getting through.I consulted F5's engineers and they said this was by design andthere's no way to block it as of now. There will be a fix for this inthe future, but until then make sure that your ASM profiles are asexplicit as possible and you have compensating security controls forany URLs that this bypass would apply to. It's just another reason notto use a WAF as a band-aid for a vulnerable application!Feel free to contact me if you have any questions or additionalinformation to add to this.Timeline========1/19/2015 - Reported the issue to the vendor2/26/2015 - The vendor confirms that it's a valid problem but are notgoing to release a fix in the near term.3/13/2015 - Vendor product development creates ID 511951 to track theproblem and consider adding a fix in a future major release.5/5/2015 - Released info to FD.Source Quote Link to comment Share on other sites More sharing options...
