This talk will open up with the question have you heard of F5 load balancing? Or did you ever write code in TCL in your youth? The two questions relate because the language used for defining F5 iRule is a fork of TCL-8.4. Pain: The language have a few less known flaws that are related to how the language expands variables and options. The coming 10 minutes will be dedicated to explaining how value expansion works in TCL-8.4 and iRule and how this can be exploited. One demo will show how to exploit a remote F5 will basic input strings. The next will show how to gain permanent access to a F5 that use session tables. The two demos are based on commonly used code fetched from the F5 devcentral. This attack leads to MITM, the ability to set and remove any HTTP header, intercept and inject user traffic for any session and termination of HTTPS. Remedy: Two demos will show how to automatize detection of the vulnerability in your iRule code. A short example will show how this is not fully sufficient because of lexical problems that are hard to detect with a (this) script. The next demo will show a unit-testing tool that can aid in testing all inputs from client and upstream. Long term consequence: This bug-class will not be fixed by F5, this means that your organization or customer need to stay on top of it. Armed with the tools and knowledge from this talk, your F5 instance can become injection free.
Presented at Security Fest 2019.Speaker: Christoffer Jerkeby
Christoffer is a security researcher working as a consultant for F-Secure Sweden. He has previously worked in telecom security research for many years and have become known from talks on Travel card hacking at SEC-T in 2010. Christoffer is an organizer behind the Danish hacker camp Bornhack and one of the founders behind the first Swedish hackerspace Forskningsavdelningen in Malmö. Christoffers research have ranged from writing the specification for GlobalPlatform TEE Socket/TLS API, Bluetooth Mesh security to finding Qubes vulnerabilities, Wi-Fi vulnerability research, VPN de-anonymization and GSM fuzzing. Expect a roller-coaster of pain, aha and hackery from this one.