Since @pdnuclei has posted a full PoC for #cve202346747 already, we've updated our blog post at https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ with all the technical details.
Kudos to @rootxharsh and @iamnoooob for SUCH a quick reproduction of the bug as well!
A warning for folks who are going to start spraying this around though:
The process of abusing AJP request smuggling causes Tomcat and Apache to get out of sync. So as you send more of these requests, the de-sync gets worse. Eventually the server gets so out of sync that it becomes incapable of actually serving the correct site once you ask for it.
During testing we regularly would get our F5-BIGIP so jammed up that it was just faster to do a full server reboot than it was to wait for things to clear out normally. There's a secondary bug here in that if you do this enough, you'll eventually catch the login session of someone else trying to hit the server, but given the fact that you can get RCE through this as well, it seems not to be as huge of a deal.
I do hope folks patched though - if you weren't paying attention on Thursday/Friday you're gonna get snuck by this one pretty badly. A 72 hour window isn't a massive amount of time unfortunately.
For what it's worth, at a glance there wasn't anything SUPER insane exposed on the internet when we did a check. We did find one cisa.gov server, which we notified them about and it was taken down before the ball started rolling on this stuff. Lots and lots of telecoms though.
Michael Weber
