Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
1

CVE-2022-43769

Disclosure Date: April 03, 2023
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream. 

Add Assessment

1
Ratings
Technical Analysis

This is a pretty cool vulnerability that affects Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x. In a nutshell, Pentaho offers some endpoints where administrators are able to test and configure LDAP connections. As mentioned in https://research.aurainfosec.io/pentest/pentah0wnage/, this is done by creating an XML-based bean definition using a combination of a base file and user provided parameters, which are then injected into the properties file without sanitization.

Unfortunately this properties file can be parsed by a variety of parsers, including the built in Thymeleaf parser if a Thymeleaf template is included. By injecting a Thymeleaf template into one of the user parameters, one can utilize the ability of Thymeleaf templates to execute methods associated with Java classes to achieve arbitrary code execution by using the statement (java.lang.Runtime).getRuntime().exec() to get the existing Java runtime, and then call its exec() method to execute arbitrary code on the host.

This can then be used to exploit the target via a URL such as the following, which will open notepad.exe on the target:

http://127.0.0.1:8080/pentaho/api/ldap/config/ldapTreeNodeChildren/?url=%23{T(java.lang.Runtime).getRuntime().exec('notepad.exe')}&mgrDn=a&pwd=a

Note that the parameters mgrDn and pwd are set to a but they can be whatever you like and this will still work fine.

Now with that being said, normally this vulnerability would be limited in impact as you need to be an administrator to access these pages. However this can be worked around via https://attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939 aka CVE-2022-43939, which allows one to do an authentication bypass to access this page by appending require.js to the end of the URL. So the PoC would become this:

http://127.0.0.1:8080/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{T(java.lang.Runtime).getRuntime().exec('notepad.exe')}&mgrDn=a&pwd=a

Note that this is not the only URL that works. Please refer to https://attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939 for more details on the regex in use and other potential ways CVE-2022-43939 could work, as URLS such as http://127.0.0.1:8080/pentaho/api/ldap/config/ldapTreeNodeChildren/requireAjs?url=%23{T(java.lang.Runtime).getRuntime().exec('notepad.exe')}&mgrDn=a&pwd=a could also be used to exploit this vulnerability as an unauthenticated user.

The impact of exploiting this vulnerability is that one will get code execution as the user running Hitachi Vantara Pentaho Business Analytics Server. Typically this user is a local administrator or one of the service accounts, which tend to have a fair amount of access to the underlying system. Whilst not the same as SYSTEM, it was noticed that the service account that one gains access to on a Windows device has sufficient permissions that one could elevate their privileges to SYSTEM using Named Pipe Impersonation (Printer Spooler Variant), aka technique 5 of Metasploit’s getsystem command as detailed at https://github.com/rapid7/metasploit-framework/blob/01204106e98aacf4eb5a0537c21d5de46a240f0b/documentation/modules/post/windows/escalate/getsystem.md?plain=1#L73C9-L81

Overall this is a fairly severe vulnerability that could potentially lead to SYSTEM level compromise under the right conditions by an unauthenticated attacker. I would expect to see this being exploited in the wild soon if it is not already being exploited, so it is highly recommend to patch affected systems as soon as possible.

CVSS V3 Severity and Metrics
Base Score:
7.2 High
Impact Score:
5.9
Exploitability Score:
1.2
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • hitachi

Products

  • vantara pentaho business analytics server,
  • vantara pentaho business analytics server 9.4.0.0
Technical Analysis