F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive
Authentication bug for this sensitive /mgmt/tm/util/bash
endpoint, which as the name suggests, will take commands and execute them. The endpoint was protected by authentication, but that authentication was vulnerable to a kind of desync. F5 has a custom apache module called mod_auth_pam.so
, which would register a hook that would check request headers for an X-F5-Auth-Token
header. If this was present, the request would be forwarded to the iControl REST service. If not, the Authorization
header is checked, and if credentials don’t match the request is rejected. The iControl REST service will check to see if a token was given, and it’ll validate it if so. If no token was given, it continues onward assuming the request was already authenticated.
The problem is, mod_auth_pam
would check for X-F5-Auth-Token
before the Connection
header was processed. It was possible to sneak this header into a Connection
header, get the request passed to the iControl REST service, and have the token dropped before it could be validated, hitting that edge-case where iControl assumes you’re authenticated. This gives command execution as root.