This is a pretty cool vulnerability that affects Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x. In a nutshell, Pentaho offers some endpoints where administrators are able to test and configure LDAP connections. As mentioned in https://research.aurainfosec.io/pentest/pentah0wnage/, this is done by creating an XML-based bean definition using a combination of a base file and user provided parameters, which are then injected into the properties file without sanitization.

Unfortunately this properties file can be parsed by a variety of parsers, including the built in Thymeleaf parser if a Thymeleaf template is included. By injecting a Thymeleaf template into one of the user parameters, one can utilize the ability of Thymeleaf templates to execute methods associated with Java classes to achieve arbitrary code execution by using the statement (java.lang.Runtime).getRuntime().exec() to get the existing Java runtime, and then call its exec() method to execute arbitrary code on the host.

This can then be used to exploit the target via a URL such as the following, which will open notepad.exe on the target:

http://127.0.0.1:8080/pentaho/api/ldap/config/ldapTreeNodeChildren/?url=%23{T(java.lang.Runtime).getRuntime().exec('notepad.exe')}&mgrDn=a&pwd=a

Note that the parameters mgrDn and pwd are set to a but they can be whatever you like and this will still work fine.

Now with that being said, normally this vulnerability would be limited in impact as you need to be an administrator to access these pages. However this can be worked around via https://attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939 aka CVE-2022-43939, which allows one to do an authentication bypass to access this page by appending require.js to the end of the URL. So the PoC would become this:

http://127.0.0.1:8080/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{T(java.lang.Runtime).getRuntime().exec('notepad.exe')}&mgrDn=a&pwd=a

Note that this is not the only URL that works. Please refer to https://attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939 for more details on the regex in use and other potential ways CVE-2022-43939 could work, as URLS such as http://127.0.0.1:8080/pentaho/api/ldap/config/ldapTreeNodeChildren/requireAjs?url=%23{T(java.lang.Runtime).getRuntime().exec('notepad.exe')}&mgrDn=a&pwd=a could also be used to exploit this vulnerability as an unauthenticated user.

The impact of exploiting this vulnerability is that one will get code execution as the user running Hitachi Vantara Pentaho Business Analytics Server. Typically this user is a local administrator or one of the service accounts, which tend to have a fair amount of access to the underlying system. Whilst not the same as SYSTEM, it was noticed that the service account that one gains access to on a Windows device has sufficient permissions that one could elevate their privileges to SYSTEM using Named Pipe Impersonation (Printer Spooler Variant), aka technique 5 of Metasploit’s getsystem command as detailed at https://github.com/rapid7/metasploit-framework/blob/01204106e98aacf4eb5a0537c21d5de46a240f0b/documentation/modules/post/windows/escalate/getsystem.md?plain=1#L73C9-L81

Overall this is a fairly severe vulnerability that could potentially lead to SYSTEM level compromise under the right conditions by an unauthenticated attacker. I would expect to see this being exploited in the wild soon if it is not already being exploited, so it is highly recommend to patch affected systems as soon as possible.