COMMAND

    bigconf.cgi

SYSTEMS AFFECTED

    BigIP - bigconf.cgi users

PROBLEM

    Guy Cohen found following.  For  those of you who don't know  what
    is BigIP, it is a software developed by F5 labs to handle incoming
    traffic and redirect it  to a server with  in a group of  servers.
    It is installed on BSDI system (maybe other too).  Once it is  has
    been installed you can configure it either by using a command line
    or  by  using  the  html  interface  (http  server  comes with the
    software).

    The  html  interface  basicly  operates  one program, bigconf.cgi,
    witch  is  installed  suid  root.   Guy  has  not  spend much time
    learning how to  exploit this program,  but from the  bits he did,
    he was able to look at  _any_ file on the system simply  by giving
    it's  name  to  the  cgi  program  (with appropriate parameters of
    course).   The risk  here is  not from  the outside,  as the  http
    server is protected by a password, but from internal users.   Less
    risk, but still ...

SOLUTION

    Guy is discussing an issue that affects older versions of  BIG/ip.
    As he  points out,  the risk  is from  internal users.   In  older
    versions of BIG/ip,  there is effectively  only one user  and that
    user has  root privileges.   That user  could execute  commands as
    root through a shell escape  in our web-based user interface.   As
    of Version 2.1, this is  no longer possible.  The  current version
    of BIG/ip is 2.1.2.  Unfortunately this effects version 2.1.2 too.
    So, to be 100% secure, get a patch version 2.1.2 PTF-02.