Associated Vulnerability
Title:F5 BIG-IP 路径遍历漏洞 (CVE-2020-5902)Description:F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。 F5 BIG-IP中存在路径遍历漏洞。攻击者可利用该漏洞执行任意的系统命令、创建或删除文件,关闭服务/执行任意的Java代码,可能完全入侵系统。以下产品及版本受到影响:F5 BIG-IP 15.1.0版本,15.0.0版本,14.1.0版本至14.1.2版本,13.1.0版本至13.1.3版本,12.1.0版本至12.1.5版本,11.6.1版本至11.6.5版本。
Description
A network detection package for CVE-2020-5902, a CVE10.0 vulnerability affecting F5 Networks, Inc BIG-IP devices.
Readme
# CVE-2020-5902 (F5 BIG-IP devices)
## Summary:
A Zeek detection package for CVE-2020-5902, a CVE10.0 vulnerability affecting F5 Networks BIG-IP devices.
## References:
- https://corelight.blog/2020/07/28/zeek-in-its-sweet-spot-detecting-f5s-big-ip-cve10-cve-2020-5902/
- https://support.f5.com/csp/article/K52145254
- https://us-cert.cisa.gov/ncas/alerts/aa20-206a
## Notices raised :
By default both notices are enabled, however if you'd like to enable only the notice concerning a successful exploit you can change the option in `scripts/bigIPF5.zeek` to True i.e `option only_monitor_for_successful_exploit: bool = T;`
|Notice|Enabled by default?|Disable with only_monitor_for_successful_exploit = T|
|---|------|---------|
| BIGIP_exploit_attempt|Yes|Yes|
| BIGIP_exploit_success|Yes|No|
Notices include up to 1500 bytes of the HTTP request headers as well as uri information, which can be helpful to speed up Incident Response and triage, without necessarily needing to refer back to a pcap. Example:
`#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2020-07-27-16-57-12
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string stringstring double double`
`1595831352.218935 C9EcoD1bu0ertt08bb 192.168.31.37 63034 192.168.1.3 80 - - - tcp CVE_2020_5902::BIGIP_exploit_attempt An attempt to exploit an F5 BIG-IP device via CVE-2020-5902 was detected using uri '/hsqldb;' , however the server responded with a code='404' reason='Not Found', indicating the exploit attempt failed. The HTTP request headers are '{\x0a\x09[1] = [original_name=User-Agent, name=USER-AGENT, value=Wget/1.20.3 (darwin19.0.0)],\x0a\x09[2] = [original_name=Accept, name=ACCEPT, value=*/*],\x0a\x09[3] = [original_name=Accept-Encoding, name=ACCEPT-ENCODING, value=identity],\x0a\x09[4] = [original_name=Host, name=HOST, value=192.168.1.3],\x0a\x09[5] = [original_name=Connection, name=CONNECTION, value=Keep-Alive]\x0a}'. Refer to https://support.f5.com/csp/article/K52145254 - 192.168.31.37 192.168.1.3 80 - - Notice::ACTION_LOG 3600.000000 - - - - -
`
## Usage, notes and recommendations:
- To use against a pcap you already have ```zeek -Cr your.pcap scripts/__load__.zeek```
- This package will run in live clustered or non clustered environments.
- This package has been prepared based on a selection of current publicly available information, not against pcaps of exploits.
## Feedback
- As details emerge, we are keen to improve this package for the benefit of the community, please feel free to contact the author with any suggestions and feedback.
File Snapshot
[4.0K] /data/pocs/041af1bf02a869abf1dbe21506709883483951b3
├── [ 241] bro-pkg.meta
├── [1.5K] LICENSE
├── [2.9K] README.md
├── [4.0K] scripts
│ ├── [2.7K] bigIPF5.zeek
│ └── [ 21] __load__.zeek
└── [ 241] zkg.meta
1 directory, 6 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.