| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Jun 2023 14:42:56 +1000 From: Luke Symons <rezkon93@...il.com> To: fulldisclosure@...lists.org Subject: [FD] ServiceNow Account Takeover to Full Admin Compromise 1. INFORMATION -------------- [+] CVE : CVE-2022-43684 [+] Title : Insecure Access Control To Full Admin Compromise [+] Vendor : ServiceNow [+] Publication date : June 2023 [+] Credits : Luke Symons, Tony Wu, Eldar Marcussen, Gareth Phillips, Jeff Thomas, Nadeem Salim, and Stephen Bradshaw. 2. AFFECTED VERSIONS -------------------- * Quebec prior to Patch 10 Hot Fix 8b * Rome prior to Patch 10 Hot Fix 1 * San Diego prior to Patch 7 * Tokyo prior to Tokyo Patch 1; and * Utah prior to Utah General Availability 3. DETAILS ---------- ServiceNow is a cloud-based platform that provides service management software as a service (SaaS). It is used by a millions of companies worldwide, and specializes in IT Service Management (ITSM), IT Operations Management (ITOM), and IT Business Management (ITBM). It allows users to manage incidents, service requests, problems, and changes within the IT infrastructure of a business. It also provides a self-service portal where end users can request IT services and log issues. During a security audit it was identified that a threat actor could exploit a access control issue and a number of other vulnerabilities and chain them together in a ServiceNow instance leading to an effective account takeover to obtain administrative access on the platform as a low privileged user. An XHR request to xmlhttp.do with the "ChartDataProcessor" processor in the POST request allows the enumeration of the ServiceNow GQL database, including read access to the `sys_user_session` and `sys_user_token` tables, which provide the necessary information to generate valid `glide_user_activity` and `glide_session_store` cookies, and the X-Usertoken header to allow privilege escalation to any previously authenticated user. 4. Information ---- A blog writeup detailing the vulnerablties and issues aswell as a proof of concept can be accessed at https://x64.sh/posts/ServiceNow-Insecure-access-control-to-admin/ 5. Remediation ---- ServiceNow has released patches and an upgrade that address an Access Control List (ACL) bypass issue in ServiceNow Core functionality. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists