F5 FirePass 'state' Parameter SQL Injection Vulnerability

Bugtraq ID:	52653
Class:	Input Validation Error
CVE:	CVE-2012-1777
Remote:	Yes
Local:	No
Published:	Mar 14 2012 12:00AM
Updated:	Mar 28 2012 11:30PM
Credit:	C. Schwarz of SEC Consult Vulnerability Lab
Vulnerable:	F5 FirePass 6.0.3 F5 FirePass 6.0.2 F5 FirePass 6.0.1 F5 FirePass 7.0 F5 FirePass 6.1 F5 FirePass 6.0.2.3 F5 FirePass 6.0
Not Vulnerable:

F5 FirePass 'state' Parameter SQL Injection Vulnerability

FirePass is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The following versions of FirePass are affected:
6.0
6.0.1
6.0.2
6.0.2.3
6.0.3
6.1
7.0

F5 FirePass 'state' Parameter SQL Injection Vulnerability

An attacker can exploit the issue using a browser.

The following example input is available:

state=%2527+and+
(case+when+SUBSTRING(LOAD_FILE(%2527/etc/passwd%2527),1,1)=char(114)+then+
BENCHMARK(40000000,ENCODE(%2527hello%2527,%2527batman%2527))+else+0+end)=0+--+

F5 FirePass 'state' Parameter SQL Injection Vulnerability

Solution:
Updates are available; please see the references for details.

F5 FirePass 'state' Parameter SQL Injection Vulnerability

References:

• Firepass Homepage (F5)
  
• Unauthenticated remote root through SQL injection (SEC Consult Vulnerability Lab)
  
• sol13463: FirePass SQL injection vulnerability (F5)