##############################################################

                      - S21Sec Advisory -

##############################################################

     Title:   F5 FirePass command execution vulnerability
        ID:   S21SEC-035-en
Severity:   High - Intrusion
   History:   14.Feb.2007 Vulnerability discovered
              22.Feb.2007 Vendor contacted
     Scope:   Linux's shell Command Execution
Platforms:   Linux based Appliance	
    Author:   Leonardo Nve (lnve@s21sec.com)
       URL:   http://www.s21sec.com/avisos/s21sec-035-en.txt
   Release:   Public

[ SUMMARY ]

F5's FirePass SSL VPN appliance provides secure access to corporate  
applications and data using a standard web browser.
Delivering outstanding performance, scalability, ease-of-use, and end- 
point security, FirePass helps increase the productivity
of those working from home or on the road while keeping corporate  
data secure.

FirePass provides:

     * Automatic detection of security compliant systems, preventing  
infection.
     * Automatic integration with the largest number of virus  
scanning and personal firewall solutions in the industry
	  (over 100 different AV & Personal Firewall versions).
     * Automatic protection from infected file uploads or email  
attachments.
     * Automatic re-routing and quarantine of infected or non- 
compliant systems to a self remediation network - reducing
	  help desk calls.
     * A secure workspace, preventing eavesdropping and theft of  
sensitive data.
     * Secure Login with a randomized key entry system, preventing  
keystroke logger snooping.
     * Full integration with the FirePass Visual Policy Editor. This  
enables the creation of custom
	  template policies based on the endpoints accessing your network  
and your company's security profile.



[ AFFECTED VERSIONS ]

This vulnerability has been tested in F5 FirePass 4100.


[ DESCRIPTION ]

S21sec has discovered a vulnerability in a F5 FirePass SSL VPN   
script that allows the injection of Linux's shell command under some  
circunstances.
The attacker doesn`t need to be logged in the system in order to  
trigger the exploit

The affected script is:

- my.activation.php3

The variable is:

- username


[ WORKAROUND ]

F5 has published a security advisory at https://tech.f5.com/home/ 
solutions/sol167.html
Additionally, hotfix HF-75705-76003-1 has been issued for supported  
versions of FirePass.
You may download this hotfix or later versions of the hotfix from the  
F5 Networks Downloads site (https://downloads.f5.com/esd/index.jsp).

[ ACKNOWLEDGMENTS ]

This vulnerability has been discovered and researched by:

- Leonardo Nve <lnve@s21sec.com> S21Sec

With thanks to:

- Alberto Moro <amoro@s21sec.com> S21Sec


[ REFERENCES ]

* F5 Firepass
   http://www.f5.com/products/FirePass/



* S21Sec
   http://www.s21sec.com