【POC&EXP】F5 BIG-IP 访问控制错误漏洞(CVE-2022-1388)

漏洞介绍

F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。

F5 BIG-IP 存在访问控制错误漏洞,攻击者可以通过未公开的请求利用该漏洞绕过BIG-IP中的iControl REST身份验证来控制受影响的系统。

扫描工具

手动检测方法

我们将{TARGET}换成要扫码的域名地址

curl -sk --max-time 2 "https://{TARGET}/mgmt/shared/authn/login" | egrep  "message|resterrorresponse" | jq

相关的返回内容示例

{
    "code": 401,
    "message": "Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/shared/authn/login   Referrer:xxx.xxx.177.228 Sender:xxx.xxx.177.228",
    "referer": "xxx.xxx.177.228",
    "restOperationId": 1461894338,
    "kind": ":resterrorresponse"
}

对应的Nuclei模板

id: bigip-icontrol-rest

info:
  name: F5 BIG-IP iControl REST Panel
  author: MrCl0wnLab
  severity: info
  description: |
   Undisclosed requests may bypass iControl REST authentication.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1388
    - https://support.f5.com/csp/article/K23605346
    - https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
  metadata:
    shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"
  classification:
    cve-id: CVE-2022-1388
    cwe-id: CWE-306
  tags: cve,cve2022,bigip,f5icontrol

requests:
  - method: GET
    path:
      - "{{BaseURL}}/mgmt/shared/authn/login"
    headers:
      User-Agent: "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"

    matchers:
      - type: word
        part: body
        words:
          - "resterrorresponse"
          - "message"
      - type: status
        status:
          - 401

 

批量扫描工具

核心代码CVE-2022-1388.sh

#!/bin/bash
#-*- ENCODING: UTF-8 -*-
# Simple CVE-2022-1388 checker


archivo=$1
barra=`echo "-------------------------------------------------"`
dt=`date +"%Y_%m_%d_%H%M%S"`

#-------Colores-------
endColour="\033[0m\e[0m"
redColour="\e[0;31m\033[1m"
grayColour="\e[0;37m\033[1m"
greenColour="\e[0;32m\033[1m"

function helpPanel (){
	echo -e "\n\t[+] Uso: ./CVE-2022-1388.sh hosts.txt"
	exit 1
}

if [ -f $dt"/temp.tmp" ];then
   rm -f $dt"/temp.tmp"
fi

function checker (){
	carpeta=`mkdir $dt`
	for ip in $(cat $archivo | sort -u );do
		request=`curl -sk --max-time 2 "https://$ip/mgmt/shared/authn/login" | grep -q "resterrorresponse"`
		if [ $? -eq 0 ]; then
			echo $barra
			echo -e "[x] Host: $ip F5 iControl Rest API exposed" >> $dt"/report.txt"
			echo -e "${redColour}"$(tail -n1 $dt"/report.txt")"${endColour}"
		else
			echo $barra
			echo -e "[✔] Host: $ip No Detectado" >> $dt"/report.txt"
			echo -e "${greenColour}"$(tail -n1 $dt"/report.txt")"${endColour}"
		fi
	done

	echo $barra; sleep 1
	echo -e "  ${greenColour}[✔]${endColour}${grayColour} Total equipos OK:    ${endColour}${greenColour}"$(cat $dt"/report.txt" | grep "\[✔\]" | wc -l)"${endColour}"
	echo $barra; sleep 1
	echo -e "  ${redColour}[x]${endColour}${grayColour} Total equipos detectados:    ${endColour}${redColour}"$(cat $dt"/report.txt" | grep "\[x\]" | wc -l)"${endColour}"
	echo $barra; sleep 1
	rm -f $dt"/temp.tmp" >/dev/null 2>&1
	exit 0
}


if [ $# -eq 0 ]; then
	helpPanel
else
	checker
fi

新建一个hosts.txt输入要扫描的主机域名/IP地址

使用方法

./CVE-2022-1388.sh hosts.txt

 

请登录后发表评论