|
56515 | 56515 | }, |
56516 | 56516 | "needs_cleanup": null |
56517 | 56517 | }, |
| 56518 | + "exploit_linux/http/f5_icontrol_rest_ssrf_rce": { |
| 56519 | + "name": "F5 iControl REST Unauthenticated SSRF Token Generation RCE", |
| 56520 | + "fullname": "exploit/linux/http/f5_icontrol_rest_ssrf_rce", |
| 56521 | + "aliases": [ |
| 56522 | + |
| 56523 | + ], |
| 56524 | + "rank": 600, |
| 56525 | + "disclosure_date": "2021-03-10", |
| 56526 | + "type": "exploit", |
| 56527 | + "author": [ |
| 56528 | + "wvu <wvu@metasploit.com>", |
| 56529 | + "Rich Warren" |
| 56530 | + ], |
| 56531 | + "description": "This module exploits a pre-auth SSRF in the F5 iControl REST API's\n /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that\n can be used to execute root commands on an affected BIG-IP or BIG-IQ\n device. This vulnerability is known as CVE-2021-22986.\n\n CVE-2021-22986 affects the following BIG-IP versions:\n\n * 12.1.0 - 12.1.5\n * 13.1.0 - 13.1.3\n * 14.1.0 - 14.1.3\n * 15.1.0 - 15.1.2\n * 16.0.0 - 16.0.1\n\n And the following BIG-IQ versions:\n\n * 6.0.0 - 6.1.0\n * 7.0.0\n * 7.1.0\n\n Tested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion.", |
| 56532 | + "references": [ |
| 56533 | + "CVE-2021-22986", |
| 56534 | + "URL-https://support.f5.com/csp/article/K03009991", |
| 56535 | + "URL-https://attackerkb.com/assessments/f6b19d24-b24e-4abd-98cf-2988d7424311", |
| 56536 | + "URL-https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/" |
| 56537 | + ], |
| 56538 | + "platform": "Linux,Unix", |
| 56539 | + "arch": "cmd, x86, x64", |
| 56540 | + "rport": 443, |
| 56541 | + "autofilter_ports": [ |
| 56542 | + 80, |
| 56543 | + 8080, |
| 56544 | + 443, |
| 56545 | + 8000, |
| 56546 | + 8888, |
| 56547 | + 8880, |
| 56548 | + 8008, |
| 56549 | + 3000, |
| 56550 | + 8443 |
| 56551 | + ], |
| 56552 | + "autofilter_services": [ |
| 56553 | + "http", |
| 56554 | + "https" |
| 56555 | + ], |
| 56556 | + "targets": [ |
| 56557 | + "Unix Command", |
| 56558 | + "Linux Dropper" |
| 56559 | + ], |
| 56560 | + "mod_time": "2021-03-22 23:54:38 +0000", |
| 56561 | + "path": "/modules/exploits/linux/http/f5_icontrol_rest_ssrf_rce.rb", |
| 56562 | + "is_install_path": true, |
| 56563 | + "ref_name": "linux/http/f5_icontrol_rest_ssrf_rce", |
| 56564 | + "check": true, |
| 56565 | + "post_auth": true, |
| 56566 | + "default_credential": true, |
| 56567 | + "notes": { |
| 56568 | + "Stability": [ |
| 56569 | + "crash-safe" |
| 56570 | + ], |
| 56571 | + "Reliability": [ |
| 56572 | + "repeatable-session" |
| 56573 | + ], |
| 56574 | + "SideEffects": [ |
| 56575 | + "ioc-in-logs", |
| 56576 | + "account-lockouts", |
| 56577 | + "artifacts-on-disk" |
| 56578 | + ] |
| 56579 | + }, |
| 56580 | + "needs_cleanup": null |
| 56581 | + }, |
56518 | 56582 | "exploit_linux/http/foreman_openstack_satellite_code_exec": { |
56519 | 56583 | "name": "Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection", |
56520 | 56584 | "fullname": "exploit/linux/http/foreman_openstack_satellite_code_exec", |
|
0 commit comments