CVE-2020-5902 is a critical remote code execution vulnerability in the configuration interface (aka Traffic Management User Interface – TMUI) of BIG-IP devices used by some of the world’s biggest companies.
So today we are going to demonstrate how it is being used.
To exploit CVE-2020-5902, an attacker needs to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.
So first we need to find a vulnerable device, let’s go to Shodan.
In the search box top left type:
title:"BIG-IP®"
This will give us a list of vulnerable devices.
Now let’s navigate to one of the servers.
Perfect.
Open Burp Suite. This will intercept our traffic before it hits the server so that we can modify the process.
In Burp suite turn on the Intercept and refresh the page.
Okay we have the domain name, so before we send it to the server we are going to modify the URL and add some text.
https://{host}/tmui/login.jsp/..:/tmui/locallb/workspace/fileRead.jsp?fileNam
e=/etc/passwd
So let’s move to the Repeater tab to send the request.
As you can see it prints out the /etc/passwd file, you can use other commands too like /etc/hosts. Have fun but don’t do anything illegal. You will probably get a call from the..(insert law inforcment)
QuBits 2020-08-07
Support us below 😉
Linux Security Blog 