F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive

We discussed this vulnerability during Episode 145 on 16 May 2022

Authentication bug for this sensitive /mgmt/tm/util/bash endpoint, which as the name suggests, will take commands and execute them. The endpoint was protected by authentication, but that authentication was vulnerable to a kind of desync. F5 has a custom apache module called mod_auth_pam.so, which would register a hook that would check request headers for an X-F5-Auth-Token header. If this was present, the request would be forwarded to the iControl REST service. If not, the Authorization header is checked, and if credentials don’t match the request is rejected. The iControl REST service will check to see if a token was given, and it’ll validate it if so. If no token was given, it continues onward assuming the request was already authenticated.

The problem is, mod_auth_pam would check for X-F5-Auth-Token before the Connection header was processed. It was possible to sneak this header into a Connection header, get the request passed to the iControl REST service, and have the token dropped before it could be validated, hitting that edge-case where iControl assumes you’re authenticated. This gives command execution as root.