BIG-IP Traffic Management User Interface (TMUI) RCE
CVE-2020-5902 is a perfect example of why administrative user interfaces should not be exposed to the internet. This is especially true when the device exposed is a perimeter device as the network behind the perimeter is compromised along with it.
So what exactly is this vulnerability that has everyone shitting bricks and why is it so bad?
Mikhail Klyuchnikov the researcher behind the vulnerability sums it up nicely:
By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE). The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network. RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet
It seems that for most companies the management interface is not internet facing. Apparantly. Let’s take a look with Shodan and see what we can find:
Well we have 8443 possibly vulnerable targets. Considering the severity, ease of exploitation and available PoC’s in the wild this isn’t looking great.
Taking a look at one of the results we can see that Shodan has already added detection for the vulnerability:
Parsing out IP’s from our 1000 results and filtering on the vuln we are left with 605 IP’s:
Digging into the PoC’s doing the rounds we can see that the exploit is essentially a directory traversal vulnerabity. RCE and LFI can be obtained with these two curl commands:
To test this locally the software can be downloaded from F5 after making an account and receiving a registration key or you could find a target within a bug bounty program (I wouldn’t bother submitting a report btw!). Steps for initial configuration can be found here.
Testing the exploit we can easily achieve LFI:
The requested file is received as output in JSON format but is easily formatted:
To grab hashes we can use:
Searching online it seems RCE using Burp Suite is just as easy:
From here on it would be trivial to obtain a reverse shell. So how can we mitigate against this attack? Well the easiest method would be to update to the corresponding updated version (fixed: 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11).
Otherwise the below patch adds a LocationMatch configuration element to httpd eliminating the vulnerability:
To check your own org for CVE-2020-5902 the following script can be used:
Alternatively there is a working NSE script that can be found here. I noticed some of the ‘vulnerability scanner’ PoC’s were actually pulling down files so as usual read any code before running it and only against IP’s you own.
Rapid 7 have released a metasploit module available here.