![]() This is (what I guess I’m calling) the “dirty” version: The user just has to click through another warning. However, regardless, even if the “Signer Name” in the CAB signature isn’t one of those three strings, arbitrary code will still run. That’s a little tip if you fancy trying one of the more elaborate workarounds to execute arbitrary code. I will say, that “uRoam Inc” may not actually exist, since F5 bought it in 2003. It’s up to you to decide how realistic it would be to get a trusted code-signing certificate with any of those names. The f5instd.exe binary checks for those strings in the “Signer Name” field of the signature: If you want to not-exploit the not-a-bug cleanly (with only a clean, UAC popup for an F5-signed binary), the CAB file has to be signed by “F5 Networks Inc”, “F5 Networks” or “uRoam Inc”. ![]() The attacker has to have a trusted code-signing certificate to sign a malicious CAB file.The affected user has to have admin privileges, so they can click through the UAC popup.Here are the basic pre-requisites to not-exploit this not-a-bug: They say there’s too many pre-requisites for them to consider it a bug. F5 says it’s NOT a bug, so what’s the problem? I’ll talk about the “dirty” version later. To be fair, this is the “clean” version of the exploit. Then we get powershell.exe popping up, running as a subprocess of f5instd.exe, at high integrity (that’s with admin privileges).A UAC box pops up, obviously trying to run a process signed by the legitimate F5 Networks certificate.This causes the F5 Endpoint Inspector to run. That website contains a “specially-crafted” f5-epi:// URI. ![]() So they won’t be fixing it any time soon, apparently. ![]() We reported this issue to F5, who say it is “not considered a vulnerability”. There’s a few pre-requisites to get it working, and it’s a bit tougher to get it working “cleanly” (without the user having to click much). We found it can be abused to run arbitrary code, triggered by visiting a malicious website. The F5 Endpoint Inspector is an application which can be called from a web browser to scan a client for compliance. If a bug falls in the forest, and the vendor denies that it’s a bug, is it still a bug? TL DR? ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |