CVE-2023-46747 F5 BIG-IP RCE - SpringKill

Affected Versions#

All versions.

Environment Setup#

Download the image from the official site and boot it with VMware:
https://my.f5.com/manage/s/downloads?productFamily=BIG-IP&productLine=big-ip_v15.x&version=15.1.8&container=Virtual-Edition&files=BIGIP-15.1.8-0.0.7.ALL-vmware.ova&locations=JAPAN

Default credentials: admin / default

Analysis & Reproduction#

From the official patch, it’s clearly related to authorization checks and modifies proxy_ajp_conf. Combined with existing public information, this strongly suggests an AJP request smuggling issue (and right when I had a rough validation, “chen” posted a one-liner…).

![image-20231030183353275](./CVE-2023-46747 F5 BIG-IP RCE/image-20231030183353275.png)

Opening it revealed a PoC, and comparing it with /usr/share/tomcat/conf/server.xml made it obvious:

![image-20231030183853806](./CVE-2023-46747 F5 BIG-IP RCE/image-20231030183853806.png)

That saves a lot of time: we can confirm it’s AJP smuggling. BIG-IP’s Apache is a customized build based on Apache 2.4.6, so it is also affected by AJP smuggling.

AJP smuggling is not new (e.g., Ghostcat, CVE-2022-26377). The exploitation chain here is:

From the historical BIG-IP vulnerability CVE-2022-1388, we know we can execute commands via /mgmt/tm/util/bash. But the old issue relied on bypassing X-F5-Auth-Token authorization. Since the bypass has been fixed, we now need a valid X-F5-Auth-Token — which means we need to create an admin user.
Creating users is handled in TMUI. We use AJP smuggling to reach /tmui/Control/form and invoke /tmui/system/user/create.jsp to create a new user.
Following the official documentation, after the user is created we can call /mgmt/shared/authn/login to obtain a token, then go back to step 1 to execute commands.

![image-20231030230918856](./CVE-2023-46747 F5 BIG-IP RCE/image-20231030230918856.png)

In short:

/tmui/Control/form → user/create.jsp → /mgmt/shared/authn/login (new token) → /mgmt/tm/util/bash (command execution)

One important caveat:

TMUI enforces CSRF checks. When invoking step 1, you must craft three parameters: _timenow, Tmui-Dubbuf, and _bufvalue, where _bufvalue must equal Tmui-Dubbuf + Tmui-Dubbuf.

![image-20231030221855165](./CVE-2023-46747 F5 BIG-IP RCE/image-20231030221855165.png)

In the nuclei PoC, the values are:

Tmui-Dubbuf = BBBBBBBBBBB
_timenow = a
_bufvalue = eIL4RUnSwXYoPUIOGcOFx2o00Xc=

![image-20231030223436120](./CVE-2023-46747 F5 BIG-IP RCE/image-20231030223436120.png)

Using these values, the resulting PoC looks like this:

![](./CVE-2023-46747 F5 BIG-IP RCE/image-20231030225639449.png)

When using Transfer-Encoding: chunked, the request is sent in chunks. The first 204 is the chunk size; converting decimal 204 to hex gives cc. The final 0 marks the end. If you capture it without HTTPS, the plaintext looks like:

![](./CVE-2023-46747 F5 BIG-IP RCE/image-20231030225723604.png)

You may need to try multiple times; it may not succeed on the first attempt. Once the response is no longer the login page, proceed to the next step.

Obtain a token using the username/password:

![](./CVE-2023-46747 F5 BIG-IP RCE/image-20231030225832110.png)

Then execute a command:

![image-20231030225947658](./CVE-2023-46747 F5 BIG-IP RCE/image-20231030225947658.png)