F5 BIG-IP Remote Code Execution Exploit - CVE-2020-5902 | Critical Start
Learn real world attack and defense strategies with Adversarial Emulation and Active Defense training from TEAMARES
TEAMARES launches Breach Attack as a Service for quick testing whenever your environment changes.
Gain full transparency and reduce alert fatigue with CRITICALSTART's managed SIEM powered by Devo.
Webinar Series | Once More unto the Breach | Lessons Learned from Billion Dollar Breaches

F5 BIG-IP Remote Code Execution Exploit – CVE-2020-5902


When TEAMARES began research into the vulnerability identified in the F5 TMUI RCE vulnerability advisory released last month, we initially started by reading the advisory and mitigation steps, which contained minimal details but included key pieces of information needed to kick off our research. The advisory states that the vulnerability impacts a variety of capabilities when exploited, including the ability to execute arbitrary Java code, which stood out to us.

Figure 1: Vulnerability impact statement

Reading the mitigation steps immediately points to directory traversal and potential command injection. The interesting character in the pattern is the semicolon.

Figure 2: Mitigation

The first step was to compare changes between the known vulnerable versions and the fixed versions, so we began by comparing system configurations between 15.1.0 against 15.1.0.4. We found that there were a plethora of differences, but the following changes to the Apache configuration piqued our interest in particular and led to us going down this rabbit hole.

The screenshots show the /hsqldb endpoint was removed from the reverse proxy configuration. The Tomcat application server listens on localhost:8009.

Figure 3: Differences in proxy_ajp.conf

 

Figure 4: Differences in httpd.conf

Running a basic unauthenticated GET request redirected to the login page, which is expected as authentication is required to access the management application.

Figure 5: HTTP redirect to login

With the vulnerability mitigation steps in mind, we appended a semicolon and the request was successfully sent to the application server. This must be the authentication bypass because this endpoint should not be reachable.

Figure 6: Authentication bypass

Now that we could reach /hsqldb, we set off on a journey to see what could be done with it. HyperSQL is an embedded relational database used by Java applications. Through reading documentation and looking for ways, this could be abused.

The first attempt used a User Defined Function (UDF); however, it was discovered that the feature is not available in v1.8. We found that we could call native Java functions or any method available to the server with the primary restriction being that it had to be a static method. After looking for static methods in the HSQLDB source code, we found the org.hsqldb.util.ScriptTool.main() method deserializes a Java objected represented as an ASCII hex string. This looked very promising, so we attempted to call this manually using sqltool and hit a “Serialization failure” error.

Figure 7: Serialization exception

Thankfully, the error message informed us of how to resolve it. Setting the enableUnsafeSerialization property to true and executing the payload was successful. At this point, we proved that authenticated remote code execution was possible. Attempting to use /hsqldb; with a POST request resulted in a connection error, so we took another look at the mitigation regex “.*\.\.;.*”  and noticed that the authentication bypass was “..;”. We then changed our exploit to work with that regex, allowing us direct access to HQSLDB.

The full exploit which can be found at https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902.

Figure 8: Remote code execution

Create a new user with the admin role via tmsh. This operation creates a root system account.

Figure 9: Local privilege escalation

 

Versions Tested:

  • F5 BIG-IP 15.1.0
  • F5 BIG-IP 14.0.0

References:

Credit:

Authentication bypass discovered by Mikhail Klyuchnikov of Positive Technologies

Proof of Concept research by Charles Dardaman, Senior Adversarial Engineer, and Rich Mirch, Senior Adversarial Engineer for at CRITICALSTART, TEAMARES

Let's Talk

Get in Touch
PREVIOUS RESOURCE
NEXT RESOURCE
Path 11 Copy 3 Created with Sketch.

Related Content

Categories