------------------------------------------------------------------------ SySS Security Advisory: Blue Prism Robotic Process Automation (RPA) - Privilege Escalation ------------------------------------------------------------------------ Advisory ID: SYSS-2019-002 Product: Blue Prism Robotic Process Automation (RPA) Manufacturer: Blue Prism Affected Version(s): Before 6.5.0.12573 Tested Version(s): 6.4.0.8445, Before 6.5.0.12573 Vulnerability Type: Improper Access Control (CWE-284) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2019-02-01 Solution Date: Around 2019-05-10 Public Disclosure: 2019-05-22 CVE Reference: CVE-2019-11875 Author of Advisory: Benjamin Hess, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Blue Prism is an RPA platform that enables companies to manage and deploy their digital workforce composed of software robots. The manufacturer describes the product as follows (see [1]): "Blue Prism Digital Workers have Intelligent Automation Skills that make it easier than ever for organizations to leverage technologies that deliver true operational agility." Due to a missing permission check for certain actions on the server side the software is vulnerable to privilege escalation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A vulnerability in the access control of the software can be exploited to escalate privileges. The vulnerability allows for abusing the application for fraud or unauthorized access to certain information. The attack requires a valid user account to connect to the Blue Prism server, but the roles associated to this account are not required to have any permissions. First of all, the application files are modified to grant full permissions on the client side. In a test environment (or his own instance of the software) an attacker is able to grant himself full privileges also on the server side. He can then, for instance, create a process with malicious behavior and export it to disk. With the modified client, it is possible to import the exported file as a release and overwrite any existing process in the database. Eventually, the bots execute the malicious process. The server does not check the user's permissions for the aforementioned actions, such that a modification of the client software enables this kind of attack. Possible scenarios may involve changing bank accounts or setting passwords. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using the tool dnSpy [2] the "AutomateAppCore.dll" can be decompiled and modified. The namespace "BluePrism.AutomateAppCore.Auth" contains the class "User". The body of the member function with prototype public bool HasPermission(ICollection<Permission> perms) needs to be changed to: return true; After compiling the modified assembly and replacing the original library file, the client grants access to all menus and buttons regardless of the role of the logged in user. One can now start the software and sign in to the desired target. It is then possible to open the tab "Releases", where one may create new packages or modify existing ones, create new releases or import a release from disk. By performing a right-click in the tree with the releases, one can choose "Import release" and select the corresponding file on disk. If the file contains a process from the current database that was modified in a malicious way, the process in the database is overwritten. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer fixed the vulnerability in version 6.5.0.12573. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-01-30: Vulnerability discovered 2019-02-01: Vulnerability reported to manufacturer 2019-05-10: It was found that the bug was fixed by the manufacturer 2019-05-15: Manufacturer confirmed affected versions 2019-05-22: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Blue Prism Robotic Process Automation https://www.blueprism.com/product [2] dnSpy debugger and .NET assembly editor https://github.com/0xd4d/dnSpy [3] SySS Security Advisory SYSS-2019-002 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-002.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Benjamin Hess of SySS GmbH. E-Mail: benjamin.hess@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Benjamin_Hess.asc Key ID: 0x1331325C Key Fingerprint: D73C 3C3D 746C 66C3 D0AE BED8 7FD5 638E 1331 325C ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en