Hacking BigIP

[simonde]

disclaimer: this only works on some instances of BigIP load balancers. But when it does, it's a doozy (and, I believe, a 0-day).


BigIP load balancers implement sticky sessions. They have to, in order for you to maintain a login to the back-end app server that they route you to. This means that they need to track who you are and what specific server in the pool they directed you to previously. One would think that they would hold this information internally and simply pass a session id cookie to your browser.

One would think wrong.

Here's a sample of a BigIP cookie:

Cookie: BIGipServermy.server.pool=1512614080.25118.0000;

Looks pretty cryptic.

If you fail to pass this cookie in (starting a new session), you'll note that the last two sets of numbers always remain the same (25118.0000 in this case). It's the first number that changes, cycling through a discrete set.

Ah ha! You say -- that must be how they determine what server to direct me to! That's not a session id at all -- if it was, it wouldn't repeat.

Not-so-little-known fact: IP addresses can be expressed as decimals. Take each octet in an IP, convert it to binary, join the four binary patterns together, and then convert to a decimal value.

Try pinging "1512614080" -- it resolves to "90.40.168.192"

Drat! You say -- that's not an IP that's owned by your target company.

So you collect a few more BigIP cookies. You end up with the following seemingly random IPs:

90.40.168.192
114.40.168.192
87.40.168.192

Seeing a pattern?

Reverse the IPs that BigIP sends down in decimal form -- you get the internal IP address of the server that BigIP is routing you to.

More than just minor information disclosure, you can use this to "force" your session to a particular server, negating/bypassing the load balancer entirely.

Just a bit of fun with one of the big load balancers....