F5 ASM Rule 200004181: Generic Server Side Code Injection Bypass

TL,DR; During a recent engagement, we discovered a signature bypass for the F5 ASM Rule 200004181: Generic Server Side Code Injection. As we had come upon a Tomcat Manager instance, we discovered this bypass while attempting to upload a WAR file to the manager. A patch has been released by F5 and can be found here.

Original template from https://imgflip.com/i/3lz4oq

The expected result of uploading a WAR file is to trigger the F5 WAF block with reason Rule 200004181. This rule explicitly states that it is designed to prevent uploads of specific files by extension type. These extensions are: php, asp, aspx, ashx, war, or jsp.

A normal upload request to Tomcat Manager may look like such:

Upload request of a WAR to Tomcat Manager that would trigger Rule 200004181

Rule 200004181 can by circumvented by removing quotation marks around the filename in the upload request:

Upload request showing Rule 200004181 Bypass by omitting quotation marks around the filename parameter

This Rule 200004181 bypass was confirmed valid across all the “protected” extensions. Whether the upload is successful or not, though, will depend on if the web application behind the WAF interprets the filename in the upload request properly without the quotation marks. This is at least known to be true with Tomcat Manager.

Screenshot of successful sample.war upload after submitting the request without quotation marks

We assume this bypass works as the underlying trigger for the Rule 200004181 may be written in a similar fashion to the following regular expression:

filename=".+?\.(war|jsp|ashx|aspx|asp|php)"

Due to the regex expecting the double quotation marks wrapping the file name, any omission of such should easily bypass this rule. Additionally, the rule is only checking the extension and not the magic bytes, which may lead to other WAF bypasses (OWASP Cheat Sheet) if an underlying web application would allow such.

Our first disclosure was to the customer’s SOC personnel, notifying them of our finding in hopes they could quickly take action to protect their assets affected by the underlying vulnerability and exposure to this bypass. Our initial diagnosis mistakenly believed this bypass was possible due to inserting a newline following the filename with a fake extension (such as .txt). During the validation process with our customer, however, we discovered that just omitting the quotation marks around the file name was enough to bypass the signature trigger. Thus, we decided to escalate this finding to F5’s SIRT.

After reaching out F5’s SIRT via email on August 30th, 2022, we received a response promptly informing us that F5 would be investigating our finding. Within 48 hours, F5 acknowledged the finding and updated their signature to prevent this bypass. Our team independently verified the update corrected the bypass on September 2nd, 2022:

Screenshot of Rule 200004181 now triggering on file name upload without double quotes

The further details about the update can be found here: https://support.f5.com/csp/article/K22788490 .

Maveris is an IT and cybersecurity company committed to helping organizations create secure digital solutions to accelerate their mission. We are Veteran-owned and proud to serve customers across the Federal Government and private sector. Maveris Labs is a space for employees and customers to ask and explore answers to their burning “what if…” questions and to expand the limits of what is possible in IT and cybersecurity. To learn more, go to maveris.com