How I Discovered an RCE Vulnerability in Tesla, Securing a $10,000 Bounty

Myself: 本人：

Hello folks, I hope you are all doing well. I am Raguraman (https://www.linkedin.com/in/raguramanhacker/), a Security Researcher, Bug Bounty Hunter, and CTF player from India. I have discovered bugs in Apple, Amazon, Oracle, and more. Welcome to my story about a remote code execution + authentication bypass vulnerability on Tesla.
大家好，希望你们一切顺利。我是 Raguraman （ https://www.linkedin.com/in/raguramanhacker/），来自印度的安全研究员、漏洞赏金猎人和 CTF 玩家。我在 Apple、Amazon、Oracle 等中发现了错误。欢迎来到我关于特斯拉远程代码执行+身份验证绕过漏洞的故事。

Introduction: 介绍：

Bug bounty programs provide a unique opportunity to explore the depths of cybersecurity, presenting challenges that often lead to intriguing discoveries. Recently, during my active engagement in testing, I uncovered a Remote Code Execution (RCE) + authentication bypass vulnerability in Tesla (CVE-2023–46747).
漏洞赏金计划为探索网络安全的深度提供了一个独特的机会，带来了挑战，这些挑战往往会带来有趣的发现。最近，在我积极参与测试的过程中，我在 Tesla 中发现了一个远程代码执行 （RCE） + 身份验证绕过漏洞 （CVE-2023–46747）。

Let’s go… 我们走吧。。。

On December 15, 2023, I disclosed a vulnerability that I had identified on an internal IP owned by Tesla. This was part of a Bug Bounty program where rewards were given for finding security vulnerabilities. I discovered an authentication bypass vulnerability in Tesla’s F5 BIG-IP, tracked as CVE-2023–46747. The vulnerability has a critical severity rating with a CVSS score of 9.8. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target system.
2023 年 12 月 15 日，我披露了一个漏洞，该漏洞是我在 Tesla 拥有的内部 IP 上发现的。这是 Bug Bounty 计划的一部分，该计划对发现安全漏洞给予奖励。我在 Tesla 的 F5 BIG-IP 中发现了一个身份验证绕过漏洞，跟踪为 CVE-2023–46747。该漏洞的严重性等级为严重，CVSS 评分为 9.8。成功利用此漏洞可允许攻击者在目标系统上执行远程代码。

My Methodology: 我的方法论：

“Reconnaissance is the initial step in bug hunting”.
“侦察是寻找虫子的第一步”。

1.) Gathered the in-scope domains.
1.） 收集范围内的域。

2.) Initiated active and passive subdomain enumeration using various tools. For passive subdomain enumeration, I utilized a subfinder with API keys from different services such as Shodan, Censys, Chaos, GitHub, Sublist3r, etc. For active subdomain enumeration, I employed the Best DNS Wordlist from the Assetnote Wordlist.
2.） 使用各种工具启动主动和被动子域枚举。对于被动子域枚举，我使用了一个子查找器，其中包含来自不同服务（如 Shodan、Censys、Chaos、GitHub、Sublist3r 等）的 API 密钥。对于活动子域枚举，我使用了 Assetnote Wordlist 中的 Best DNS Wordlist。

3.) Identified around 10,789 subdomains and IPs.
3.） 识别了大约 10,789 个子域和 IP。

4.) The next step involved filtering out live domains based on their status codes.
4.） 下一步涉及根据其状态代码过滤掉实时域。

5.) Quickly identified the internal IP with the F5 BIG-IP and confirmed it using Wappalyzer.
5.） 使用 F5 BIG-IP 快速识别内部 IP，并使用 Wappalyzer 进行确认。

6.) Here is where the actual journey begins.
6.） 这是实际旅程开始的地方。

Recently, I came across the F5 BIG-IP Unauthenticated Remote Code Execution Vulnerability (CVE-2023–46747).
最近，我遇到了 F5 BIG-IP 未经身份验证的远程执行代码漏洞 （CVE-2023–46747）。

(CVE-2023–46747) is a critical vulnerability. This vulnerability allows undisclosed requests to bypass configuration utility authentication, enabling an attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.
（CVE-2023–46747） 是一个严重漏洞。此漏洞允许未公开的请求绕过配置实用程序身份验证，使具有网络访问权限的攻击者能够通过管理端口和/或自 IP 地址对 BIG-IP 系统进行网络访问，从而执行任意系统命令。

Geared up, I discovered an endpoint (/mgmt/tm/util/bash) vulnerable to (CVE-2023–46747).
整装待发后，我发现了一个容易受到 （CVE-2023–46747） 攻击的端点 （/mgmt/tm/util/bash）。

The vulnerable endpoint (/mgmt/tm/util/bash) enables an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.
易受攻击的端点 （/mgmt/tm/util/bash） 使未经身份验证的攻击者能够通过管理端口和/或自 IP 地址对 BIG-IP 系统进行网络访问，从而执行任意系统命令。

Once I confirmed the vulnerability, the next task was to find a proper exploit. Many exploit scripts are available, but several yield false positive results. Therefore, I opted for an exploit processing nucleus template, and this approach yielded effective results.
一旦我确认了漏洞，下一个任务就是找到一个合适的漏洞。有许多漏洞利用脚本可用，但有几个脚本会产生误报结果。因此，我选择了漏洞利用处理核心模板，这种方法产生了有效的结果。

7.) Exploit process for Remote Code Execution (RCE) and authentication bypass:
7.） 远程代码执行 （RCE） 和身份验证绕过的漏洞利用过程：

=> First, I ran Nuclei and then waited for the results.
=> 首先，我运行了 Nuri，然后等待结果。

=> BOOM…! RCE is working; I obtained the system ID, username, and password.
=> 砰……！RCE 正在工作;我获取了系统 ID、用户名和密码。

=> Next, I decided to increase the impact by exploiting an authentication bypass.
=> 接下来，我决定通过利用身份验证绕过来增加影响。

=> So, I navigated to the $ip/mgmt/tm/util/bash site, entered the username and password, And BOOM ! redirected to the F5 BIG-IP admin panel internal network.
=> 所以，我导航到 $ip/mgmt/tm/util/bash 站点，输入用户名和密码，然后砰！已重定向至 F5 BIG-IP 管理面板内部网络。

Next, I reported this issue to Tesla through their BugCrowd Bug Bounty Program.
接下来，我通过他们的 BugCrowd Bug 赏金计划向特斯拉报告了这个问题。

Tesla has since fixed the issue, and I want to commend them for their responsiveness. This is an excellent example of a company that takes security seriously and rewards those who help them identify and fix issues.
特斯拉已经解决了这个问题，我要赞扬他们的响应能力。这是一个很好的例子，说明一家公司认真对待安全并奖励那些帮助他们识别和解决问题的人。

Timeline: 时间线：

December 15, 2023 — Submitted bug reports.
2023 年 12 月 15 日 — 提交了错误报告。

December 15, 2023 — Tesla marked as triaged.
2023 年 12 月 15 日 — 特斯拉被标记为分类。

December 15, 2023 — Tesla verifies the vulnerability and begins the fixing process.
2023 年 12 月 15 日 — Tesla 验证了该漏洞并开始修复过程。

December 18, 2023 — Tesla marked as resolved, and the Bounty 💸 was awarded.
2023 年 12 月 18 日 — 特斯拉标记为已解决，并授予赏金💸。

I hope this will inspire you.
我希望这能激励你。