Command Injection in F5 iRules

Conference:  BlackHat USA 2019



The presentation discusses the vulnerabilities of the Tickle language and provides tools for detecting and preventing injection attacks.
  • Tickle language is loosely defined and vulnerable to injection attacks
  • The presenter provides a tool for detecting injection vulnerabilities in Tickle code
  • Unit testing with the tool 'Testicle' can help catch bugs in Tickle code
  • Code review is important for preventing injection attacks in Tickle code
The presenter discusses a tool called 'I Rule Detector' which can replace every field in a request and detect injection vulnerabilities. The tool has found many vulnerabilities in open source code without requiring manual review.


BigIP F5 products are used by large corporations and governments all around the world. Its performance and load sharing capabilities has made it a preferred choice as reverse proxy to route web traffic in complex high performance projects. The F5 product contains a subset of rules written in a language called iRules developed from the scripting language TCL. TCL language interpretation is defined in a set of rules called the dodekalogue. Common misinterpretations of the dodekalogue often leaves iRules exposed to security vulnerabilities. An attacker can inject iRule code in to a request and force the load balancer to execute remote code, sniff connections or scan internal networks. Organizations using F5 with iRules will be made aware of how to find and avoid writing vulnerable code along with a demonstration of the consequences of post exploitation of this vulnerability. An attacker that successfully exploits iRule injections can gain a foothold in the F5 device memory, break out of the TCL interpreter and cause severe damage without leaving a trace in logging facilities. The research includes code scanning and automatic exploitation tools to detect and eliminate the iRule injection vulnerability from a running F5 instance.