This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF2AE8.F16F11E0 Content-Type: text/plain; charset="iso-8859-1" Guy Cohen wrote: | The html interface basicly operates one program, bigconf.cgi, witch is | installed suid root. I have not spend much time learning how to exploit this | program, but from the bits I did, I was able to look at _any_ file | on the system simply by giving it's name to the cgi program (with appropriate | parameters of course). | | The risk here is not from the outside, as the http server is protected | by a password, but from internal users. Less risk, but still ... Guy is discussing an issue that affects older versions of BIG/ip. As he points out, the risk is from internal users. In older versions of BIG/ip, there is effectively only one user and that user has root privileges. That user could execute commands as root through a shell escape in our web-based user interface. As of Version 2.1, this is no longer possible. The current version of BIG/ip is 2.1.2. The software update is available for free over the net to all customers with support contracts. In Version 2.1, in response to customer feedback, we removed the shell escape capability and also changed to multiple user levels in the web-based user interface. BIG/ip is a default-deny device, both for administrative traffic to it, and for traffic passing through it. The product uses SSH for command line access and SSL for web access. We welcome any feedback on how we can make the product more secure. Thanks! Rob Gilde Product Development Manager voice: 206-505-0857 email: robat_private F5 Networks, Inc. 200 First Avenue West, Suite 500 Seattle, WA 98119 http://www.f5.com 1-888-88BIGIP ------_=_NextPart_001_01BF2AE8.F16F11E0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2448.0"> <TITLE>Re: BigIP - bigconf.cgi holes</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Guy Cohen wrote:</FONT> <BR><FONT SIZE=2>| The html interface basicly operates one program, bigconf.cgi, witch is </FONT> <BR><FONT SIZE=2>| installed suid root. I have not spend much time learning how to exploit this </FONT> <BR><FONT SIZE=2>| program, but from the bits I did, I was able to look at _any_ file </FONT> <BR><FONT SIZE=2>| on the system simply by giving it's name to the cgi program (with appropriate </FONT> <BR><FONT SIZE=2>| parameters of course). </FONT> <BR><FONT SIZE=2>| </FONT> <BR><FONT SIZE=2>| The risk here is not from the outside, as the http server is protected </FONT> <BR><FONT SIZE=2>| by a password, but from internal users. Less risk, but still ... </FONT> </P> <P><FONT SIZE=2>Guy is discussing an issue that affects older versions of BIG/ip. </FONT> <BR><FONT SIZE=2>As he points out, the risk is from internal users. In older versions </FONT> <BR><FONT SIZE=2>of BIG/ip, there is effectively only one user and that user has root </FONT> <BR><FONT SIZE=2>privileges. That user could execute commands as root through a shell </FONT> <BR><FONT SIZE=2>escape in our web-based user interface. </FONT> </P> <P><FONT SIZE=2>As of Version 2.1, this is no longer possible. The current version </FONT> <BR><FONT SIZE=2>of BIG/ip is 2.1.2. The software update is available for free over </FONT> <BR><FONT SIZE=2>the net to all customers with support contracts.</FONT> </P> <P><FONT SIZE=2>In Version 2.1, in response to customer feedback, we removed the shell </FONT> <BR><FONT SIZE=2>escape capability and also changed to multiple user levels in the </FONT> <BR><FONT SIZE=2>web-based user interface.</FONT> </P> <P><FONT SIZE=2>BIG/ip is a default-deny device, both for administrative traffic to it, </FONT> <BR><FONT SIZE=2>and for traffic passing through it. The product uses SSH for command </FONT> <BR><FONT SIZE=2>line access and SSL for web access. We welcome any feedback on how we </FONT> <BR><FONT SIZE=2>can make the product more secure. </FONT> </P> <P><FONT SIZE=2>Thanks!</FONT> </P> <BR> <P><FONT SIZE=2>Rob Gilde</FONT> <BR><FONT SIZE=2>Product Development Manager</FONT> <BR><FONT SIZE=2>voice: 206-505-0857</FONT> <BR><FONT SIZE=2>email: robat_private</FONT> </P> <P><FONT SIZE=2>F5 Networks, Inc.</FONT> <BR><FONT SIZE=2>200 First Avenue West, Suite 500</FONT> <BR><FONT SIZE=2>Seattle, WA 98119</FONT> <BR><FONT SIZE=2><A HREF="http://www.f5.com" TARGET="_blank">http://www.f5.com></FONT> <BR><FONT SIZE=2>1-888-88BIGIP</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BF2AE8.F16F11E0--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:51 PDT