Christoffer Jerkeby - Load Balancer with RCE, Hacking F5 - SecurityFest 2019

Load Balancer with RCE, Hacking F5
This talk will open up with the question have you heard of F5 load balancing? Or did you ever write code in TCL in your youth? The two questions relate because the language used for defining F5 iRule is a fork of TCL-8.4.

Pain:
The language have a few less known flaws that are related to how the language expands variables and options.
The coming 10 minutes will be dedicated to explaining how value expansion works in TCL-8.4 and iRule and how this can be exploited.
One demo will show how to exploit a remote F5 will basic input strings.
The next will show how to gain permanent access to a F5 that use session tables.
The two demos are based on commonly used code fetched from the F5 devcentral.
This attack leads to MITM, the ability to set and remove any HTTP header, intercept and inject user traffic for any session and termination of HTTPS.
Remedy:
Two demos will show how to automatize detection of the vulnerability in your iRule code. A short example will show how this is not fully sufficient because of lexical problems that are hard to detect with a (this) script. The next demo will show a unit-testing tool that can aid in testing all inputs from client and upstream.

Long term consequence:
This bug-class will not be fixed by F5, this means that your organization or customer need to stay on top of it. Armed with the tools and knowledge from this talk, your F5 instance can become injection free.

This was presented at Security Fest 2019.

Speakers: Christoffer Jerkeby
About Christoffer Jerkeby
Christoffer Jerkeby
Christoffer is a security researcher working as a consultant for F-Secure Sweden. He has previously worked in telecom security research for many years and have become known from talks on Travel card hacking at SEC-T in 2010. Christoffer is an organizer behind the Danish hacker camp Bornhack and one of the founders behind the first Swedish hackerspace Forskningsavdelningen in Malmö. Christoffers research have ranged from writing the specification for GlobalPlatform TEE Socket/TLS API, Bluetooth Mesh security to finding Qubes vulnerabilities, Wi-Fi vulnerability research, VPN de-anonymization and GSM fuzzing. Expect a roller-coaster of pain, aha and hackery from this one.

About Security Fest 2019
May 23rd - 24th 2019
This summer, Gothenburg will become the most secure city in Sweden! We'll have two days filled with great talks by internationally renowned speakers on some of the most cutting edge and interesting topics in IT-security! Our attendees will learn from the best and the brightest, and have a chance to get to know each other during the lunch, dinner, after-party and scheduled breaks.



Please note that you have to be at least 18 years old to attend.



Highlights of Security Fest
Interesting IT-security talks by renowned speakers
Lunch and dinner included
Great CTF with nice prizes
Awesome party!


Venue
Security Fest is held in Eriksbergshallen in Gothenburg, with an industrial decor from the time it was used as a mechanical workshop. Right next to the venue, you can stay at Quality Hotel 11.