High
CVE-2022-43769
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2022-43769
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityVery High
Technical Analysis
This is a pretty cool vulnerability that affects Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x. In a nutshell, Pentaho offers some endpoints where administrators are able to test and configure LDAP connections. As mentioned in https://research.aurainfosec.io/pentest/pentah0wnage/, this is done by creating an XML-based bean definition using a combination of a base file and user provided parameters, which are then injected into the properties file without sanitization.
Unfortunately this properties file can be parsed by a variety of parsers, including the built in Thymeleaf parser if a Thymeleaf template is included. By injecting a Thymeleaf template into one of the user parameters, one can utilize the ability of Thymeleaf templates to execute methods associated with Java classes to achieve arbitrary code execution by using the statement (java.lang.Runtime).getRuntime().exec()
to get the existing Java runtime, and then call its exec()
method to execute arbitrary code on the host.
This can then be used to exploit the target via a URL such as the following, which will open notepad.exe
on the target:
http://127.0.0.1:8080/pentaho/api/ldap/config/ldapTreeNodeChildren/?url=%23{T(java.lang.Runtime).getRuntime().exec('notepad.exe')}&mgrDn=a&pwd=a
Note that the parameters mgrDn
and pwd
are set to a
but they can be whatever you like and this will still work fine.
Now with that being said, normally this vulnerability would be limited in impact as you need to be an administrator to access these pages. However this can be worked around via https://attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939 aka CVE-2022-43939, which allows one to do an authentication bypass to access this page by appending require.js
to the end of the URL. So the PoC would become this:
http://127.0.0.1:8080/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{T(java.lang.Runtime).getRuntime().exec('notepad.exe')}&mgrDn=a&pwd=a
Note that this is not the only URL that works. Please refer to https://attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939 for more details on the regex in use and other potential ways CVE-2022-43939 could work, as URLS such as http://127.0.0.1:8080/pentaho/api/ldap/config/ldapTreeNodeChildren/requireAjs?url=%23{T(java.lang.Runtime).getRuntime().exec('notepad.exe')}&mgrDn=a&pwd=a
could also be used to exploit this vulnerability as an unauthenticated user.
The impact of exploiting this vulnerability is that one will get code execution as the user running Hitachi Vantara Pentaho Business Analytics Server. Typically this user is a local administrator or one of the service accounts, which tend to have a fair amount of access to the underlying system. Whilst not the same as SYSTEM, it was noticed that the service account that one gains access to on a Windows device has sufficient permissions that one could elevate their privileges to SYSTEM using Named Pipe Impersonation (Printer Spooler Variant), aka technique 5 of Metasploit’s getsystem
command as detailed at https://github.com/rapid7/metasploit-framework/blob/01204106e98aacf4eb5a0537c21d5de46a240f0b/documentation/modules/post/windows/escalate/getsystem.md?plain=1#L73C9-L81
Overall this is a fairly severe vulnerability that could potentially lead to SYSTEM level compromise under the right conditions by an unauthenticated attacker. I would expect to see this being exploited in the wild soon if it is not already being exploited, so it is highly recommend to patch affected systems as soon as possible.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- hitachi
Products
- vantara pentaho business analytics server,
- vantara pentaho business analytics server 9.4.0.0
References
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: