Hello, For those of you who don't know what is BigIP, it is a software developed by F5 labs to handle incoming traffic and redirect it to a server with in a group of servers. It is installed on BSDI system (maybe other too). Once it is has been installed you can configure it either by using a command line or by using the html interface (http server comes with the software). The html interface basicly operates one program, bigconf.cgi, witch is installed suid root. I have not spend much time learning how to exploit this program, but from the bits I did, I was able to look at _any_ file on the system simply by giving it's name to the cgi program (with appropriate parameters of course). The risk here is not from the outside, as the http server is protected by a password, but from internal users. Less risk, but still ... F5 has been notifyed. -- Guy Cohen.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:26 PDT